This addresses an issue where the 'DISABLE_AUTHENTICATOR' args were not
properly added to the `imap_open` params. This changes the `+=` operator
to `array_merge()` to successufully add the params.

This addresses a vulnerability where there was no `X-Frame-Options` header
which could potentially allow click jacking. This adds the
`X-Frame-Options: SAMEORIGIN` header so it will remove any chance of click
jacking. According to Mozilla Developer Docs:
```
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page
itself.
```

This addresses an issue on the forums where the query to determine the
size of the `file_chunk` table is making the page load really slow for
people with large tables. This updates the query to improve the
performance of the page load time.

This addresses the issue where files were being deleted before being sent
out in Agent responses. This was due to a bug in the query that gets the
orphaned files. This query was getting files created within the last 24
hours not after the last 24 hours. The query also had another bug that
would use the time from PHP instead of MySQL which could cause issues.
This updates the query as per @greezybacon's suggestions to delete
orphaned files that were created more than 24 hours ago.

This addresses an issue where Outlook adds weird (and seemingly random)
_MailEndCompose tags to the email body which turns unwanted content into
links. This adds the _MailEndCompose tag to Format::sanitize() so it
will be removed from the email body.

This addresses an issue where the Upgrader will sometimes use an outdated
cached object and throw an error. This adds a the function to clear the
Model Cache every time the Upgrader runs an Upgrade Patch to get fresh
objects.

This addresses an issue where the User’s account status is always 'Active'
in the Organization list no matter what their actual status is. This adds the
account status to the user query which adds the correct status to the Users’
account.

* issue/ajax-reflected-xss:
  issue: AJAX Reflected XSS

* issue/csrf-in-users-url:
  issue: CSRF In users.inc.php URL

* issue/rand-number:
  oops: Fix randNumber()

* aydreeihn/issue/attachment_downloads:
  Exclude Vulnerable Image Files
  Only allow image attachments to be opened in the browser window

* issue/file-upload-bypass:
  issue: File Upload Bypass

* issue/httponly-cookies:
  issue: Httponly Cookies

* issue/xss-agent-directory:
  xss: Prevent Agent Directory XSS

This addresses an issue where you can exploit XSS in the help-topic AJAX
request. This adds a check for a refferal URL and if none it will return
a 403 Forbidden Response.

This addresses an issue where the CSRF Token is displayed in the URL
when you preform a search in the Users Tab. This removes the token from the
request which removes it from the URL.

This addresses a vulnerability where an Agent can perform XSS via the
Agent Directory’s REQUEST query string. This sanitizes the request params
so the code will be escaped and not executed in the browser.

This addresses an issue where the `randNumber()` function would crash on
32-Bit systems if the ticket format was set to a really high amount of
digits (eg. ###################). This is because the `max()` value that
was being passed to `mt_rand()` exceeded the `mt_getrandmax()` limit which
caused an error. This updates the function to generate a random number for
each digit to avoid the `mt_getrandmax()` limit.

This addresses an issue where someone can “takeover” an account with only
a User’s email and a User’s previous ticket number. Once they get access
to a User’s ticket they can go to the Ticket Owner’s profile and change
the email to whatever they’d like. This adds a check on the profile to see
if the User is a Guest User. If they are a Guest then it kicks them back
to the ticket view. If they are the actual User it will let them view the
profile.

cron: Delete Expired Sessions

This addresses an issue where someone can bypass the file restrictions on
the file upload field in the Client Portal. This adds the allowed
extensions and file types to the field options so that User’s cannot
upload anything other than the allowed file types.

This addresses issue 4015 where osTicket’s cookies aren’t HttpOnly by
default. The HttpOnly flag helps prevent client scripts accessing the
cookie. This updates the method that sets the cookie params to include
the HttpOnly flag.

oops: Fix Task Print

tasks: Fix Task Updated Time

oops: User Phone Search

CVE-2017-14396

xss: Cached forms data

Encode html entities of cached form data

Format the advanced search title so that it will not allow javascript

Fix crash editing thread entry with inline image

This commit addresses an SQL injection vulnerability in ORM lookup
function.

* ORM implementation failed to properly quote fields, used in SQL
statements, that might originate from unsanitized user input.

* AttachmentFile lookup allowed for key based SQL injection by blindly
delegating non-string lookup to ORM.

Extend this to exclude image files that are injectable from opening in browser windows.