Warn the user if they're running with an insecure looking setup (fixes #2139)

cmd/syncthing/main.go

@@ -892,6 +892,10 @@ func setupGUI(mainSvc *suture.Supervisor, cfg *config.Wrapper, m *model.Model, a
 		return
 	}
 
+	if guiCfg.InsecureAdminAccess {
+		l.Warnln("Insecure admin access is enabled.")
+	}
+
 	api, err := newAPISvc(myID, cfg, guiAssets, m, apiSub, discoverer, relaySvc, errors, systemLog)
 	if err != nil {
 		l.Fatalln("Cannot start GUI:", err)

gui/assets/lang/lang-en.json

@@ -32,6 +32,7 @@
    "Copied from elsewhere": "Copied from elsewhere",
    "Copied from original": "Copied from original",
    "Copyright © 2015 the following Contributors:": "Copyright © 2015 the following Contributors:",
+   "Danger!": "Danger!",
    "Delete": "Delete",
    "Deleted": "Deleted",
    "Device ID": "Device ID",
@@ -117,6 +118,7 @@
    "Pause": "Pause",
    "Paused": "Paused",
    "Please consult the release notes before performing a major upgrade.": "Please consult the release notes before performing a major upgrade.",
+   "Please set a GUI Authentication User and Password in the Settings dialog.": "Please set a GUI Authentication User and Password in the Settings dialog.",
    "Please wait": "Please wait",
    "Preview": "Preview",
    "Preview Usage Report": "Preview Usage Report",
@@ -169,6 +171,7 @@
    "Syncthing is upgrading.": "Syncthing is upgrading.",
    "Syncthing seems to be down, or there is a problem with your Internet connection. Retrying…": "Syncthing seems to be down, or there is a problem with your Internet connection. Retrying…",
    "Syncthing seems to be experiencing a problem processing your request. Please refresh the page or restart Syncthing if the problem persists.": "Syncthing seems to be experiencing a problem processing your request. Please refresh the page or restart Syncthing if the problem persists.",
+   "The Syncthing admin interface is configured to allow remote access without a password.": "The Syncthing admin interface is configured to allow remote access without a password.",
    "The aggregated statistics are publicly available at {%url%}.": "The aggregated statistics are publicly available at {{url}}.",
    "The configuration has been saved but not activated. Syncthing must restart to activate the new configuration.": "The configuration has been saved but not activated. Syncthing must restart to activate the new configuration.",
    "The device ID cannot be blank.": "The device ID cannot be blank.",
@@ -193,6 +196,7 @@
    "The rate limit must be a non-negative number (0: no limit)": "The rate limit must be a non-negative number (0: no limit)",
    "The rescan interval must be a non-negative number of seconds.": "The rescan interval must be a non-negative number of seconds.",
    "They are retried automatically and will be synced when the error is resolved.": "They are retried automatically and will be synced when the error is resolved.",
+   "This can easily give hackers access to read and change any files on your computer.": "This can easily give hackers access to read and change any files on your computer.",
    "This is a major version upgrade.": "This is a major version upgrade.",
    "Trash Can File Versioning": "Trash Can File Versioning",
    "Unknown": "Unknown",

gui/index.html

@@ -72,6 +72,29 @@
 
   <div class="container" id="content">
 
+    <!-- Panel: Open, no auth -->
+
+    <div ng-if="openNoAuth" class="row">
+      <div class="col-md-12">
+        <div class="panel panel-danger">
+          <div class="panel-heading"><h3 class="panel-title"><span class="fa fa-exclamation-circle"></span><span translate>Danger!</span></h3></div>
+          <div class="panel-body">
+            <p>
+            <span translate>The Syncthing admin interface is configured to allow remote access without a password.</span>
+            <b><span translate>This can easily give hackers access to read and change any files on your computer.</span></b>
+            <span translate>Please set a GUI Authentication User and Password in the Settings dialog.</span>
+            </p>
+          </div>
+          <div class="panel-footer">
+            <button type="button" class="btn btn-sm btn-default pull-right" ng-click="editSettings()">
+              <span class="fa fa-cog"></span>&nbsp;<span translate>Settings</span>
+            </button>
+            <div class="clearfix"></div>
+          </div>
+        </div>
+      </div>
+    </div>
+
     <!-- Panel: Restart Needed -->
 
     <div ng-if="!configInSync" class="row">

gui/syncthing/core/syncthingController.js

@@ -368,6 +368,15 @@ angular.module('syncthing.core')
                 });
             });
 
+            // If we're not listening on localhost, and there is no
+            // authentication configured, and the magic setting to silence the
+            // warning isn't set, then yell at the user.
+            var guiCfg = $scope.config.gui;
+            $scope.openNoAuth = guiCfg.address.substr(0, 4) != "127."
+                && guiCfg.address.substr(0, 6) != "[::1]:"
+                && (!guiCfg.user || !guiCfg.password)
+                && !guiCfg.insecureAdminAccess;
+
             if (!hasConfig) {
                 $scope.$emit('ConfigLoaded');
             }

lib/config/guiconfiguration.go

@@ -13,12 +13,13 @@ import (
 )
 
 type GUIConfiguration struct {
-	Enabled    bool   `xml:"enabled,attr" json:"enabled" default:"true"`
-	RawAddress string `xml:"address" json:"address" default:"127.0.0.1:8384"`
-	User       string `xml:"user,omitempty" json:"user"`
-	Password   string `xml:"password,omitempty" json:"password"`
-	RawUseTLS  bool   `xml:"tls,attr" json:"useTLS"`
-	RawAPIKey  string `xml:"apikey,omitempty" json:"apiKey"`
+	Enabled             bool   `xml:"enabled,attr" json:"enabled" default:"true"`
+	RawAddress          string `xml:"address" json:"address" default:"127.0.0.1:8384"`
+	User                string `xml:"user,omitempty" json:"user"`
+	Password            string `xml:"password,omitempty" json:"password"`
+	RawUseTLS           bool   `xml:"tls,attr" json:"useTLS"`
+	RawAPIKey           string `xml:"apikey,omitempty" json:"apiKey"`
+	InsecureAdminAccess bool   `xml:"insecureAdminAccess,omitempty" json:"insecureAdminAccess"`
 }
 
 func (c GUIConfiguration) Address() string {