overheadhunter
commented
7 years ago Legitimate concern.
Still there are several use cases for non-loopback mode (as loopback is already covered by the GUI application). The CLI application is primarily targeted for those users wanting to use it on a Linux home server, so we should add a second example with an explicit warning about the consequences of too loose binding later.
The example commandline from the README.md does not bind to
localhostexclusively but instead binds to all interfaces, so the decrypted files can be accessed by anyone on the network.This PR fixes that by binding exclusively to
127.0.0.1.At least on Windows this has the neat side-effect that the Windows-Firewall is not asking for permission to allow a server, which it does when binding to other interfaces than
localhost.