diff --git a/WHATSNEW.md b/WHATSNEW.md
index 7bc3553b8031dd6bec76213c5daa8b1050114eea..23feb4398283dccca4fab36fb11be3fecf744bf1 100644
--- a/WHATSNEW.md
+++ b/WHATSNEW.md
@@ -1,4 +1,4 @@
-osTicket 1.11.0
+osTicket 1.11.0-rc.1
==================
## Major New Features
- Custom Columns/Custom Queues
@@ -63,6 +63,33 @@ osTicket 1.11.0
- Add Custom Forms to Ticket Filter Data
- Fix for LDAP/AD auth plugin (#4198, #3460, #3544, #3549)
+osTicket v1.10.3
+================
+### Enhancements
+* issue: Org. User Account Status (#4219)
+* upgrader: Flush Cache On Upgrade (#4227)
+* issue: Outlook _MailEndCompose (#4206)
+* issue: Files - deleteOrphans() (#4253)
+* issue: Fix imap_open Disable Authenticator (#4195)
+* Check permissions before displaying Close Task (#4177)
+
+### Performance and Security
+* issue: Information Page Performance (#4275)
+* issue: Prevent Click Jacking (#4266)
+* orm: queryset: Fix circular reference error (#4247)
+
+
+osTicket v1.10.2
+================
+### Performance and Security
+* Prevent Account Takeover (be0133b)
+* Prevent Agent Directory XSS (36651b9)
+* Httponly Cookies (5b2dfce)
+* File Upload Bypass (3eb1614)
+* Only allow image attachments to be opened in the browser window (4c79ff8)
+* Fix randNumber() (5b8b95a)
+* CSRF in users.inc.php URL (285a292)
+* AJAX Reflected XSS (e919d8a)
osTicket v1.10.1
================
diff --git a/include/class.mailfetch.php b/include/class.mailfetch.php
index 3496f2d517c0329d9275b8dbb75abdb9de3f1f86..7644cbb7eaee141a20de00e0ae705336ff3770ed 100644
--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -136,8 +136,8 @@ class MailFetcher {
// Disable Kerberos and NTLM authentication if it happens to be
// supported locally or remotely
if (version_compare(PHP_VERSION, '5.3.2', '>='))
- $args += array(NULL, 0, array(
- 'DISABLE_AUTHENTICATOR' => array('GSSAPI', 'NTLM')));
+ $args = array_merge($args, array(NULL, 0, array(
+ 'DISABLE_AUTHENTICATOR' => array('GSSAPI', 'NTLM'))));
$this->mbox = @call_user_func_array('imap_open', $args);
diff --git a/include/class.orm.php b/include/class.orm.php
index 733b880ea6e7beca2505c33fb096508b3534966d..934dcc86f77035b5ce9de1b76cc5a51f48e050a4 100644
--- a/include/class.orm.php
+++ b/include/class.orm.php
@@ -1801,15 +1801,22 @@ extends CachedResultSet {
class ModelInstanceManager
implements IteratorAggregate {
- var $queryset;
var $model;
var $map;
+ var $resource;
+ var $annnotations;
+ var $defer;
static $objectCache = array();
function __construct(QuerySet $queryset) {
- $this->queryset = $queryset;
$this->model = $queryset->model;
+ $this->resource = $queryset->getQuery();
+ $cache = !$queryset->hasOption(QuerySet::OPT_NOCACHE);
+ $this->resource->setBuffered($cache);
+ $this->map = $this->resource->getMap();
+ $this->annotations = $queryset->annotations;
+ $this->defer = $queryset->defer;
}
function cache($model) {
@@ -1864,7 +1871,7 @@ implements IteratorAggregate {
return null;
}
}
- $annotations = $this->queryset->annotations;
+ $annotations = $this->annotations;
$extras = array();
// For annotations, drop them from the $fields list and add them to
// an $extras list. The fields passed to the root model should only
@@ -1883,7 +1890,7 @@ implements IteratorAggregate {
// Construct and cache the object
$m = $modelClass::__hydrate($fields);
// XXX: defer may refer to fields not in this model
- $m->__deferred__ = $this->queryset->defer;
+ $m->__deferred__ = $this->defer;
$m->__onload();
if ($cache)
$this->cache($m);
@@ -1953,10 +1960,6 @@ implements IteratorAggregate {
}
function getIterator() {
- $this->resource = $this->queryset->getQuery();
- $this->map = $this->resource->getMap();
- $cache = !$this->queryset->hasOption(QuerySet::OPT_NOCACHE);
- $this->resource->setBuffered($cache);
$func = ($this->map) ? 'getRow' : 'getArray';
$func = array($this->resource, $func);
diff --git a/include/client/header.inc.php b/include/client/header.inc.php
index 30b0273c5d33d8e5d1c410a5af4a1d8c32319d46..b5d8c990d90c2935ed51cc9d202b5e765e46aa11 100644
--- a/include/client/header.inc.php
+++ b/include/client/header.inc.php
@@ -6,6 +6,7 @@ $signin_url = ROOT_PATH . "login.php"
$signout_url = ROOT_PATH . "logout.php?auth=".$ost->getLinkToken();
header("Content-Type: text/html; charset=UTF-8");
+header("X-Frame-Options: SAMEORIGIN");
if (($lang = Internationalization::getCurrentLanguage())) {
$langs = array_unique(array($lang, $cfg->getPrimaryLanguage()));
$langs = Internationalization::rfc1766($langs);
diff --git a/include/staff/header.inc.php b/include/staff/header.inc.php
index 14616767106caf353267573395e970da9de5f4e5..90e95599abff19464d7caba578a9c4cdba3d03a0 100644
--- a/include/staff/header.inc.php
+++ b/include/staff/header.inc.php
@@ -1,5 +1,6 @@
<?php
header("Content-Type: text/html; charset=UTF-8");
+header("X-Frame-Options: SAMEORIGIN");
$title = ($ost && ($title=$ost->getPageTitle()))
? $title : ('osTicket :: '.__('Staff Control Panel'));
diff --git a/include/staff/login.header.php b/include/staff/login.header.php
index 4460229c1acb8c2814128e343c9d0e861048abcc..abe9d46f0b53b4894910778ffc3bb897f820317f 100644
--- a/include/staff/login.header.php
+++ b/include/staff/login.header.php
@@ -1,5 +1,6 @@
<?php
defined('OSTSCPINC') or die('Invalid path');
+header("X-Frame-Options: SAMEORIGIN");
?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
diff --git a/include/staff/system.inc.php b/include/staff/system.inc.php
index 20198b8f88c040d7592a9d5c512bb25c3fc5029b..a1341fd01a6033254e27785886bb3eb18f3360ea 100644
--- a/include/staff/system.inc.php
+++ b/include/staff/system.inc.php
@@ -154,7 +154,17 @@ if (!$lv) { ?>
echo sprintf('%.2f MiB', $space); ?></td>
<tr><td><?php echo __('Space for Attachments'); ?></td>
<td><?php
- $sql = 'SELECT SUM(LENGTH(filedata)) / 1048576 FROM '.FILE_CHUNK_TABLE;
+ $sql = 'SELECT
+ (DATA_LENGTH + INDEX_LENGTH) / 1024 / 1024
+ FROM
+ information_schema.TABLES
+ WHERE
+ TABLE_SCHEMA = "'.DBNAME.'"
+ AND
+ TABLE_NAME = "'.FILE_CHUNK_TABLE.'"
+ ORDER BY
+ (DATA_LENGTH + INDEX_LENGTH)
+ DESC';
$space = db_result(db_query($sql));
echo sprintf('%.2f MiB', $space); ?></td></tr>
<tr><td><?php echo __('Timezone'); ?></td>
diff --git a/include/staff/templates/task-view.tmpl.php b/include/staff/templates/task-view.tmpl.php
index adb250728e1ae3bd19c355e78974120bc39237a5..6153c8f20da3987fecebbdedd08ed20783dd9faa 100644
--- a/include/staff/templates/task-view.tmpl.php
+++ b/include/staff/templates/task-view.tmpl.php
@@ -154,7 +154,7 @@ if ($task->isOverdue())
echo __('Reopen');?> </a>
</li>
<?php
- } else {
+ } elseif ($canClose) {
?>
<li>
<a class="no-pjax task-action"
@@ -212,7 +212,7 @@ if ($task->isOverdue())
echo __('Reopen');?> </a>
</li>
<?php
- } else {
+ } elseif ($canClose) {
?>
<li>
<a class="no-pjax task-action"
diff --git a/setup/inc/header.inc.php b/setup/inc/header.inc.php
index 4d59e4076b9f5ed93d2428b02f683048d607e58e..57ceade2e12bad159d811881d8f8eea2022c22f7 100644
--- a/setup/inc/header.inc.php
+++ b/setup/inc/header.inc.php
@@ -1,3 +1,4 @@
+<?php header("X-Frame-Options: SAMEORIGIN"); ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html <?php