From e2047ec3a033962094d20da7b0b96743684e1ae9 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Mon, 2 Mar 2026 15:22:28 -0800 Subject: [PATCH] apache: Fix diagnosing URLs protected by OpenID Connect Tests: - Clear out the directory /var/cache/apache2/mod_auth_openidc/metadata/. Then run diagnostics on Calibre app without the patch. Several URLs fail because 404 has been returned on /calibre URL. With the patch the diagnostics succeed. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/apache/components.py | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/plinth/modules/apache/components.py b/plinth/modules/apache/components.py index 64df03437..e9149add2 100644 --- a/plinth/modules/apache/components.py +++ b/plinth/modules/apache/components.py @@ -301,7 +301,19 @@ def check_url(url: str, kind: str | None = None, wrapper: str | None = None, expected_output: str | None = None) -> bool: """Check whether a URL is accessible.""" - command = ['curl', '--location', '-f', '-w', '%{response_code}'] + # When testing a URL with cURL, following any redirections with --location. + # During those follows, store cookies that have been set and use them for + # later requests. mod_auth_openidc will set a cookie 'x_csrf' to prevent + # CSRF attacks and expect this cookie to sent back to it in later requests. + # If this cookie is not present, it will refuse to perform OIDC Discovery + # process resulting 404 errors and diagnostic failures for domains that + # have not been visited by a user recently. --cookie '' means the cURL will + # use an in-process cookie-jar for storing and retrieving cookies without + # writing to a file on the disk. + command = [ + 'curl', '--location', '--cookie', '', '--fail', '--write-out', + '%{response_code}' + ] if kind == '6': # extract zone index