Configure PDF protection by token redirection to only work on GET and HEAD requests. If we attempted to work on other request methods we would probably break something as there is no way to preserve request bodies. The default was previously been to work on all requests. This behavious can still be changed using the SecPdfProtectInterceptGETOnly directive but I am going to leave it undocumented.

apache2/apache2_config.c

@@ -456,7 +456,7 @@ void init_directory_config(directory_config *dcfg) {
     if (dcfg->pdfp_secret == NOT_SET_P) dcfg->pdfp_secret = NULL;
     if (dcfg->pdfp_timeout == NOT_SET) dcfg->pdfp_timeout = 10;
     if (dcfg->pdfp_token_name == NOT_SET_P) dcfg->pdfp_token_name = "PDFPTOKEN";
-    if (dcfg->pdfp_only_get == NOT_SET) dcfg->pdfp_only_get = 0;
+    if (dcfg->pdfp_only_get == NOT_SET) dcfg->pdfp_only_get = 1;
 
     /* Geo Lookup */
     if (dcfg->geo == NOT_SET_P) dcfg->geo = NULL;
@@ -1547,7 +1547,7 @@ const command_rec module_directives[] = {
         cmd_pdf_protect_intercept_get_only,
         NULL,
         RSRC_CONF,
-        "whether or not to intercept only GET requess."
+        "whether or not to intercept only GET and HEAD requess. Defaults to true."
     ),
 
     AP_INIT_TAKE1 (

apache2/pdf_protect.c

@@ -400,12 +400,14 @@ int pdfp_check(modsec_rec *msr) {
         return 0;
     }
 
-    /* Ignore request methods other than GET if
+    /* Ignore request methods other than GET and HEAD if
      * configured to do so.
      */
-    if ((msr->r->method_number != M_GET)&&(cfg->pdfp_only_get != 0)) {
+    if ((msr->r->method_number != M_GET)&&(msr->r->method_number != M_HEAD)
+        &&(cfg->pdfp_only_get != 0))
+    {
         if (msr->txcfg->debuglog_level >= 4) {
-            msr_log(msr, 4, "PdfProtect: Configured not to intercept non-GET requests "
+            msr_log(msr, 4, "PdfProtect: Not intercepting a GET/HEAD request "
             "(method=%s/%i).", log_escape_nq(msr->mp, msr->r->method), msr->r->method_number);
         }