This commit addresses possible Arbitrary Method Invocation via AJAX file upload.

To save some memory osTicket uses callback method to fetch the content of a
file on mail fetch. $file['data'] was overloaded as a callback by simply
checking if the content is callable, resulting in method invocation when
content of the uploaded file is a callable.

The address the issue we're not using locally set callback parameter / method.

This enhances security patch (33ed10) to allow image attachments to be
opened in a new tab if the setting is enabled. This adds a new setting to
the Agent Profile labeled "Image Attachment View" that determines how image
attachments are handled. The two options are "Download" and "Inline" with
"Download" being the default. If the option is set to "Download" all image
attachments will be forced to download. If the option is set to "Inline" all
image attachments will open in a new tab when you right click + open in new
tab.

This addresses an issue reported by Aishwarya Iyer where attached HTML files
are executed in the browser instead of forcing download in Firefox and IE
for Windows specifically. This is caused by an incorrect
`Content-Disposition` set in the `AttachmentFile::download` function.
Instead of attachments having a disposition of `attachment` (which forces
download) they have a disposition of `inline` (which displays the file
contents in the browser). This updates the download function to use whatever
disposition is passed (for S3 plugin), if none it defaults to `attachment`.
In addition, this overwrites the disposition and sets it to `attachment`
after the `$bk->sendRedirectURL()` so that S3 attachments still work and the
issue of an attacker passing their own disposition is mitigated.

Remove file type overwrite previously used to force downloads. This
addresses potential XSS where an attacker could pass "image" resulting in
the file being displayed in line.

Support using %{ticket.thread} to export the entire ticket thread
correspondence between agents and end users (owner + collaborators).

This commit ensures that we use the correct disposition for downloading files.

This commit ensures that we will always get the correct attachment name regardless of if the file content is the same. Additionally, it ensures that the file_ids for attachments are compared in the correct order (elseifs)

This commit ensures that we will always get the correct attachment name regardless of if the file content is the same. Additionally, it ensures that the file_ids for attachments are compared in the correct order (elseifs)

An index was added to the v1.11 branch to support the ORM query. Because the
index cannot be applied to v1.10, the query was rewritten for the 1.10.x
branch to provide better performance without changes to the database. When
1.10.x was merged into 1.11.x the rewritten SQL accidentally showed up. This
reverts that merge to use the original ORM query.

This addresses an issue that was introduced by a previous attempt to
address the orphaned file query. The previous attempt addressed the
original issue but slowed database performance so this addresses the
performance issue.

This addresses an issue that was introduced by a previous attempt to
address the orphaned file query. The previous attempt addressed the
original issue but slowed database performance so this addresses the
performance issue.

This addresses the issue where files were being deleted before being sent
out in Agent responses. This was due to a bug in the query that gets the
orphaned files. This query was getting files created within the last 24
hours not after the last 24 hours. The query also had another bug that
would use the time from PHP instead of MySQL which could cause issues.
This updates the query as per @greezybacon's suggestions to delete
orphaned files that were created more than 24 hours ago.

This addresses the issue where files were being deleted before being sent
out in Agent responses. This was due to a bug in the query that gets the
orphaned files. This query was getting files created within the last 24
hours not after the last 24 hours. The query also had another bug that
would use the time from PHP instead of MySQL which could cause issues.
This updates the query as per @greezybacon's suggestions to delete
orphaned files that were created more than 24 hours ago.

Commit c4579277 introduced an extra administrative security feature to
restrict files access to signed in users only, even  if a user has a valid
& signed download URL. The feature, however, did not take into account
public images & files associated with FAQs and pages such as
landing/thank-you pages.

This commit addresses the shortcoming by adding a reference ID (attachment ID)
to the download/access URL, that can be used to deduce the model/object type
that the file request is associated with. The technique will allow us in the
future to enforce ACL at the file level depending on privacy settings and
the security clearance of the user (agent).

This duplicates the custom logo code to allow for custom login backdrops. A
new page is added to the "Company" settings page which allows for management
of the uploaded custom backdrops.

Previously, the create method was used to create a new instance of an orm
model (which would later result in an INSERT when persisted); however, some
classes require or utilize varying parameters to their create() method,
which PHP7 considers an error. Methods in subclasses must be defined with a
calling signature compatible with the parent class.

This patch shifts the concept of model creation to the constructor. Now, the
constructor of ORM models is required to be compatible with that of
ModelBase class. Now that most models do not define a constructor, this is
much easier to control, and much more logical.

Also, remove an issue where assignments on a relationship field to an
instance of a super class of the foreign model would raise an error. This
was previously addressed by re-classing the instance in the
ModelInstanceManager::getOrBuild(); however that design would create
multiple instances of the same object in memory, which defeats one of the
primary design concepts of the ORM. This patch addresses the issue by
allowing super-classes of the declared foreign model in relationship
assignments.

This commit attempts to remove all coding standard warnings emitted by PHP
7.0.

If the configuration for the file backend is set to something invalid, do a
better job of falling back to database-backed attachments.

When saving an attached file in the database, Passing the whole content of the file to bin2hex leads to allocating the memory for the whole hex encoded file while the binary content of the file is still in memory. This leads easily to Out of memory error on limited resources servers. Calling bin2hex on each chunk of the file greatly limits the memory usage.

Also,
* use current year when no company name exists (yet)
* log a `created` timestamp for new files
* drop table %group during the upgrade

This patch suggests that old attachments in the `upload_dir` can be located
and left alone when upgrading away from osTicket v1.6. Later, via the `file`
command line applet, the attachments can be migrated into the database, or
to the new filesystem plugin after it is installed with:

    php manage.php file migrate --backend=6 --to=D

This allows attachment migration to be retried in the event it failed for
any reason.

* Log events for AJAX collaborator list edits
* Avoid extra selects for inline image handling
* Avoid using htmLawed to add target="_blank" and class="no-pjax" to links
  in the ticket thread
* Cache instances of IntlDateFormatter; seems expensive to set up
* Cache filetypes Yaml in APC if available
* Cache I18n::getDefaltLanguage() in the request
* Avoid extraneous usage of Model::_inspect and Model::$meta
* Add aggregated query support to the ORM
* Lazily compile SQL query for InstrumentedLists
* Apply `select_related` setting when setting up InstrumentedList instances
* Slight optimization in SqlCompiler::getField
* Avoid double compiling Sql annotations in the ORDER BY clause
* Cache Thread::getEntries
* Break out event types for ThreadEvent for more legible code
* Eliminate one query from Ticket::loadDynamicData
* Fix ticket number bolding if already answered
* Use dependent subqueries for ticket statistics in the queue page, which is
  significantly faster for large data sets (like hundreds of attachments or
  thread entries)
* Fixup sidebar layout on client knowledge base pages

This patch includes a slight database migration, and adjusts the
functionality of a few core components.

  * Move collaborators from the ticket to the thread.
    This concept allows collaborators on any object which has a thread,
    including tasks.

  * Add flags to the thread entry
    This will allow flagging thread entries for different purposes.
    Initially this can be used to flag the original message of a thread in
    case a ticket / thread is created without an initial message.

  * Lock becomes more of a utility
    The lock is now disconnected from the ticket and is a separate utility.
    Separately, the ticket and task objects can have a reference to a lock
    object. Furthermore, when submitting some activities to tickets, the
    lock is verified to be owned by the respective agent, and the lock code
    must match a current lock code. The code is rotated on each acquire()
    call to guard against double submissions.

  * Collaborator is an ORM model
    The TicketUser class is broken up now so that the collaborator instance
    can exist apart from a ticket. Email message ids are now generated for
    collaborators without respect for a ticket so that collaborators can be
    properly supported on any thread.

This patch converts the central file and threading classes over to use the
ORM.

Files upgraded from versions of osTicket prior to 1.9.1 did not have a
`signature` field in the database. For caching purposes in generating the
Etag HTTP header, the getSignature function cascades through the getKey
method. This may be inconsistent in the signed URL creation.

This patch adds a cascade flag to the getSignature method so the cascading
will not happen unless specifically requested.

This script adds a single download script, 'file.php', which provides access
to files of all types to all users. It uses a HMAC signature system with an
expires time, which allows signed URLs to be sent to external users.

This also fixes an issue with the Http::cacheable() method, where the
last-modified and Etag headers were not properly compared, which resulted in
permanent cache misses by the client.

Use generic attachment table for all attachments system-wide.
Drop thread entry attachment table

Detach conversation thread from ticket to make it more generic. Any object
can now have its own thread complete with entry type and attachments.

Use generic attachment table for all attachments system-wide.
Drop thread entry attachment table

Detach conversation thread from ticket to make it more generic. Any object
can now have its own thread complete with entry type and attachments.