Conversation
There was a problem hiding this comment.
Pull request overview
Adds a configurable web bind address so deployments can restrict which network interface the (unencrypted) HTTP server listens on, reducing accidental exposure on multi-homed hosts or behind proxies.
Changes:
- Introduces
web_bind_ipconfiguration across INI/env/defaults, API, and server startup (libuv bind). - Exposes the setting in the web UI (settings form + i18n) and includes it in config export/backup JSON.
- Documents
bind_ipin configuration docs and wires it into the Docker entrypoint default config.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| web/public/locales/en.json | Adds UI label for the new bind address setting. |
| web/js/utils/settings-utils.js | Adds default web_bind_ip value for frontend settings model. |
| web/js/components/preact/SettingsView.jsx | Adds bind address field to settings load/save + renders an input. |
| src/web/libuv_server.c | Binds the listener to the configured IPv4 address and improves logging. |
| src/web/api_handlers_system.c | Includes web_bind_ip in system backup JSON. |
| src/web/api_handlers_settings.c | Exposes web_bind_ip in GET settings and accepts it in POST updates. |
| src/web/api_handlers_common_utils.c | Includes web_bind_ip in generic config JSON output. |
| src/core/main.c | Passes bind address into HTTP server config and updates log messages. |
| src/core/config.c | Adds env mapping/default/INI/save/print/reload logging for web_bind_ip. |
| include/web/http_server.h | Extends http_server_config_t with bind_ip. |
| include/core/config.h | Adds web_bind_ip to the core config struct. |
| docs/CONFIGURATION.md | Documents the new [web] bind_ip setting. |
| docker-entrypoint.sh | Adds bind_ip to the generated default config in container entrypoint. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } else if (strcmp(name, "bind_ip") == 0) { | ||
| strncpy(config->web_bind_ip, value, 31); | ||
| } else if (strcmp(name, "root") == 0) { |
There was a problem hiding this comment.
strncpy(config->web_bind_ip, value, 31); does not guarantee NUL-termination when value is length >= 31. This can leave web_bind_ip unterminated and later %s logging / uv_ip4_addr reads past the buffer. Ensure the destination is always NUL-terminated (or use a bounded copy helper that always terminates).
There was a problem hiding this comment.
The strncpy here follows the same pattern as other lines in the same file, though the review comment is absolutely correct. I'd like to follow up in a separate PR and make sure that 1) the safe_strcpy function in strings.c is correct and safe, and 2) replace nearly all instances of strncpy with safe_strcpy, since 3-4 different methods are used throughout the codebase today for copying strings.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Useful for deployments with many network interfaces or behind a proxy, to avoid exposing the unencrypted HTTP port.