ipv6 hostname

[drtdre]

If the hostname is an ipv6 address (with colons), the 'token signature' is incorrectly identified as invalid. The user identity can be found by using a regex expression '/!(\w*)?!!pwd/' on $_SERVER['QUERY_STRING']

Not sure if this is really an issue, but may become one as ipv6 becomes more prevalent.

[jw35]

Signature validation is one area where there seem to be multiple bugs in this code, though I can't immediately think how an IPv6 could get into the response message (except perhaps as a literal in the URL field) or why it would provoke a validation error.

The user identity can be found by using a regex expression '/!(\w*)?!!pwd/' on $_SERVER['QUERY_STRING']

DON'T DO THAT! Manually extracting a user identity out of the query string without validating the signature is DANGEROUS. Its only the signature that proves the response message came from Raven. If you ignore the signature, anyone can construct a response message and claim to be anyone, thus completely bypassing authentication.