This commit addresses possible Arbitrary Method Invocation via AJAX file upload.

To save some memory osTicket uses callback method to fetch the content of a
file on mail fetch. $file['data'] was overloaded as a callback by simply
checking if the content is callable, resulting in method invocation when
content of the uploaded file is a callable.

The address the issue we're not using locally set callback parameter / method.

This commit addresses a vulnerability on how osTicket authenticates
auth-tokens used for auto-login to view ticket status.

The validation process failed to handle unexpected type handling issue
making it possible for users to exploit type juggling and authenticate using
only email and ticket number.

This commit mitigates insufficient validation in mPDF library that enables a
malicious intruder to inject arbitrary PHP objects via css @import utility
that may result in Remote Code Execution.

Dialog: Highlight tab with error(s)

This commit addresses javascript error - on error - on a dialog modal with tab content.

format: Clickable URLs

This addresses issue 5176 where some Plaintext URLs are not completely
clickable. This is due to the regex check for clickable URLs not including a
few characters. This adds `[`, `]`, and `/` as matchable characters so urls
like
`https://test.com/cart/add?route=marketplace/extension/info&product[123]=3`
will be completely clickable.

Queue Pages Default

Remove page limit parenthesis

Queue Pages Default

Default to the page limit when the queue returns 0 results instead of 3 pages.

Add Time boundaries to Between date range

The date picker already has the user's timezone factored in to the
selection. Removing user's timezone allows for admin set queues to maintain
the original timezone selection.

Clear Overdue Flag on Due Date Change

Add time boundaries to between data range dates and convert results to
database timezone.

Clear overdue flag on SLA / Duedate change that results in a duedate in the
future.

Feature: Mark as Answered permission option

db: System Time Zone

This updates the change made in d227d54e to use the system time zone rather
than the global time zone.

db: System Time Zone

This addresses issue 5156 where using something like AWS RDS shows incorrect
timezone for the database. In systems like AWS RDS you cannot set the
`@@global.system_time_zone` variable to anything other than `UTC` which is a
problem. This updates `db_connect` to set the session timezone to the global
timezone for every connection. This will ensure the appropriate timezone is
used in subsequent methods.

Modify Reopen Assignment

issue: Format File Name

This commit modifies the code to ensure that if the 'Disable auto assign on reopen' box is checked for a department, reopened tickets are open as unassigned when a ticket is reopened by a user's message as well as when an agent manually reopens the ticket.

issue: DB Error #1062

This formats the filename before using it in an error to avoid chance of
XSS.

This addresses a long-time issue of the famous `DB Error #1062` when
uploading an Inline File to a Draft. The issue is that the system does not
check if an Attachment record exists before creating a new one. We create a
new Attachment record, we go to save it, and the system errors out because
that record already exists. This adds a check to see if the Attachment
record already exists and if so we use that instead of creating a new one.

Issue: Edit Task Fields

issue: In-Reply-To Header

This commit fixes an issue where you were unable to edit custom fields if they were added to a task form after a task had been created.

issue: Delete Org Session Failure

This addresses an issue raised in 5111 where the `in-reply-to` header is not
sent with outgoing emails. This is due to the `$recipients` variable being
an instance of `MailingList` which is not handled correctly in
`class.mailer.php`. This adds a new case to handle `MailingList` directly.

issue: Attachment Filter

issue: Umlauts In Sender's Name

issue: Umlauts In Subject

This addresses an ORM failure where upon refetching an object from the
database that no longer exists the system crashes hard. We use the `one()`
method which expects one result, if there is no result it throws a
`DoesNotExist` exception. We are not catching the exception properly which
crashes osTicket and forces you to clear the session via browser or
database.

This addresses an issue on the Forum where deleting an Organization causes
the session to fail. This is due to the Organization QuerySet being stored
in the session and not being cleared out when deleted from the system. This
causes the system to try to refetch the object from the database which it's
not there as it's been deleted and therefore causes the session to crash.

This addresses issue 5123 where fetched Emails do not reject attachments
that are not allowed. This is due to setting a File ID inside of an array
called `$file[]` but not unsetting it when the attachment hits an
FileUploadError. This updates class MailFetch to set the file array back to
empty so that the ID is cleared and the error is added correctly which
rejects the attachment.

Some roles need the ability to mark a ticket as Answered/Unanswered but must not be able to reply directly to the customer. Both are controlled by the Post Reply permission. This seperates the two functions so they can be managed independently.