FIX: safely unhook zend_ast_process across Apache graceful restarts (#295)

PopoviciMarian · web-flow · commit 088eee43aab6 · 2025-10-10T10:59:58.000+03:00
diff --git a/README.md b/README.md
@@ -38,25 +38,25 @@ Prerequisites:
 
 ##### x86_64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.5/aikido-php-firewall.x86_64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.6/aikido-php-firewall.x86_64.rpm
 ```
 
 ##### arm64 / aarch64
 ```
-rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.5/aikido-php-firewall.aarch64.rpm
+rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.6/aikido-php-firewall.aarch64.rpm
 ```
 
 #### For Debian-based Systems (Debian, Ubuntu)
 
 ##### x86_64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.5/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.6/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
 ##### arm64 / aarch64
 ```
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.5/aikido-php-firewall.aarch64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.6/aikido-php-firewall.aarch64.deb
 dpkg -i -E ./aikido-php-firewall.aarch64.deb
 ```
 
diff --git a/docs/aws-elastic-beanstalk.md b/docs/aws-elastic-beanstalk.md
@@ -4,7 +4,7 @@
 ```
 commands:
   aikido-php-firewall:
-    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.5/aikido-php-firewall.x86_64.rpm"
+    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.3.6/aikido-php-firewall.x86_64.rpm"
     ignoreErrors: true
 
 files:
diff --git a/docs/fly-io.md b/docs/fly-io.md
@@ -32,7 +32,7 @@ Create a script to install the Aikido PHP Firewall during deployment:
 #!/usr/bin/env bash
 cd /tmp
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.5/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.6/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 ```
 
diff --git a/docs/laravel-forge.md b/docs/laravel-forge.md
@@ -21,7 +21,7 @@ cd /tmp
 
 # Install commands from the "Manual install" section below, based on your OS
 
-curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.5/aikido-php-firewall.x86_64.deb
+curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.3.6/aikido-php-firewall.x86_64.deb
 dpkg -i -E ./aikido-php-firewall.x86_64.deb
 
 # Restarting the php services in order to load the Aikido PHP Firewall
diff --git a/lib/agent/globals/constants.go b/lib/agent/globals/constants.go
@@ -1,7 +1,7 @@
 package globals
 
 const (
-	Version                             = "1.3.5"
+	Version                             = "1.3.6"
 	ConfigUpdatedAtMethod               = "GET"
 	ConfigUpdatedAtAPI                  = "/config"
 	ConfigAPIMethod                     = "GET"
diff --git a/lib/php-extension/HookAst.cpp b/lib/php-extension/HookAst.cpp
@@ -134,14 +134,14 @@ void HookAstProcess() {
 }
 
 void UnhookAstProcess() {
-    if (!original_ast_process) {
-        AIKIDO_LOG_WARN("Cannot unhook \"zend_ast_process\" without an original handler (was not previously hooked)!\n");
-        return;
-    }
-
     AIKIDO_LOG_INFO("Unhooked \"zend_ast_process\" (original handler %p)!\n", original_ast_process);
 
-    zend_ast_process = original_ast_process;
+   // As it's not mandatory to have a zend_ast_process installed, we need to ensure UnhookAstProcess() restores zend_ast_process even if the original was NULL
+   // Only unhook if the current handler is still ours, avoiding clobbering others
+    if (zend_ast_process == aikido_ast_process){
+        zend_ast_process = original_ast_process;
+    }
+
     original_ast_process = nullptr;
 }
 
diff --git a/lib/php-extension/include/php_aikido.h b/lib/php-extension/include/php_aikido.h
@@ -3,7 +3,7 @@
 extern zend_module_entry aikido_module_entry;
 #define phpext_aikido_ptr &aikido_module_entry
 
-#define PHP_AIKIDO_VERSION "1.3.5"
+#define PHP_AIKIDO_VERSION "1.3.6"
 
 #if defined(ZTS) && defined(COMPILE_DL_AIKIDO)
 ZEND_TSRMLS_CACHE_EXTERN()
diff --git a/lib/request-processor/globals/globals.go b/lib/request-processor/globals/globals.go
@@ -14,5 +14,5 @@ var CloudConfigMutex sync.Mutex
 var MiddlewareInstalled bool
 
 const (
-	Version = "1.3.5"
+	Version = "1.3.6"
 )
diff --git a/package/rpm/aikido.spec b/package/rpm/aikido.spec
@@ -1,5 +1,5 @@
 Name:           aikido-php-firewall
-Version:        1.3.5
+Version:        1.3.6
 Release:        1
 Summary:        Aikido PHP Extension
 License:        GPL

Original file line number	Diff line number	Diff line change
`@@ -14,5 +14,5 @@ var CloudConfigMutex sync.Mutex`
`14`	`14`	`var MiddlewareInstalled bool`
`15`	`15`
`16`	`16`	`const (`
`17`		`- Version = "1.3.5"`
	`17`	`+ Version = "1.3.6"`
`18`	`18`	`)`