When comparing the From address of incoming email. If the ticket owner sent
an email back into the system and the email address did not match exactly,
case-wise, the email would not be considered from the ticket owner.

Also converts ROOT_DIR detection to always use forward slashes. And it fixes
the removal of the leading double-backslash on Windows UNC names (fixes #649)

This is safe now, because the title is appropriately encoded in
class.thread.php/ThreadEntry::create()

Fixes #567, #718

if the domain given in HTTP_HOST variable happens to have a port
specification. Technically, the port specification should not be included in
the domain spec given in the cookie.

(And for the record, that makes no sense to me, seeing as a cookie would
otherwise be valid for all servers on any ports at a particular domain).

The previous implementation did not work correctly for symlinked folders.
The new approach uses debug_backtrace() and ROOT_DIR to determine the
difference between ROOT_DIR and the osTicket installation path.

This thing is like a turd that won't flush

and restarts PHP SESSION

Also, allow for the administrator to manually define the ROOT_PATH in the
config file (the very last mile).

If an alert message manages to loop back into the ticketing system, refuse
posting to the ticket thread. Technically, the message should be marked as
an auto-response message; however, auto-response messages should usually be
allowed to be appended to the ticket thread.

This patch will check if the From email header cites an email address that
is a system email address (visible in the Emails section of the Admin
Panel). If it is, the email is completely ignored.

Web browsers don't appreciate a cookie domain without any dots. This patch
detects the originally-requested domain for the request. If the domain does
not contain dots (such as 'localhost' or the name of a local server on your
network defined in your hosts file), no cookie domain is sent.

The greatest symptom of this issue what the illustrious 'Invalid CSRF token'
seen repeatedly on the scp login page. The reason is that the browser was
rejecting the cookie from the server.

Fixes #677, #672, #653

This code was lost when the message-id tracking feature was implemented

Web browsers don't appreciate a cookie domain without any dots. This patch
detects the originally-requested domain for the request. If the domain does
not contain dots (such as 'localhost' or the name of a local server on your
network defined in your hosts file), no cookie domain is sent.

The greatest symptom of this issue what the illustrious 'Invalid CSRF token'
seen repeatedly on the scp login page. The reason is that the browser was
rejecting the cookie from the server.

Fixes #677, #672, #653

If unable to detect the root path, provide a fallback ROOT_PATH setting to
'./'. This is likely to happen if run from the commandline (like for crons)
or if DOCUMENT_ROOT and the folder of main.inc.php seem to have nothing in
common

Fixes #704

Previously, filenames saved in the database had the spaces changed for
underbars; however, other characters (such as commas and non-ascii
characters) presented issues with user agents downloading the attachments.

This patch handles the filename encoding for two special cases -- internet
explorer and safari, and provides the semi-standard RFC5987 method of
encoding the filename for the remaining browsers.

Attachments are no longer forced to be downloaded. It is up to the browser
to decide if the attachment should be shown in the browser or downloaded.

This patch also fixes a slight bug in the caching mechanism for downloads
concerning the last-modified time. The date sent to the browser was not
properly converted to GMT time, although the server claimed that it was.

Historically, ROOT_PATH and ROOT_DIR contained the same value; however,
ROOT_PATH now points to the URL path where osTicket is installed, whereas
ROOT_DIR points to the file system location where osTicket is installed.

When an admin logs in to upgrade to 1.7.1 and further from a version
pervious to 1.7.1, the system will attempt to clear password reset tokens
from the config table, which hasn't been upgraded yet to the namespaced
version from 1.7.1

Some security inspection appliances and load balancers don't appreciate
something in the HTTP headers that is not a valid HTTP header. Furthermore,
the browser needs the Content-Type header to identify that the image is not
the PHP default of text/html

Previously, filenames saved in the database had the spaces changed for
underbars; however, other characters (such as commas and non-ascii
characters) presented issues with user agents downloading the attachments.

This patch handles the filename encoding for two special cases -- internet
explorer and safari, and provides the semi-standard RFC5987 method of
encoding the filename for the remaining browsers.

Attachments are no longer forced to be downloaded. It is up to the browser
to decide if the attachment should be shown in the browser or downloaded.

This patch also fixes a slight bug in the caching mechanism for downloads
concerning the last-modified time. The date sent to the browser was not
properly converted to GMT time, although the server claimed that it was.

Some security inspection appliances and load balancers don't appreciate
something in the HTTP headers that is not a valid HTTP header. Furthermore,
the browser needs the Content-Type header to identify that the image is not
the PHP default of text/html

Historically, ROOT_PATH and ROOT_DIR contained the same value; however,
ROOT_PATH now points to the URL path where osTicket is installed, whereas
ROOT_DIR points to the file system location where osTicket is installed.

When an admin logs in to upgrade to 1.7.1 and further from a version
pervious to 1.7.1, the system will attempt to clear password reset tokens
from the config table, which hasn't been upgraded yet to the namespaced
version from 1.7.1

The mainly comes in when a MIME header which might contain a list of email
addresses (like Reply-To) is to be parsed, but is empty. The Mail_RFC822
class would return an empty mailbox @ localhost (where 'localhost' is the
default default_domain for mail address list parsing).

This patch affords an administrator the ability to remove the
[#%{ticket.number}] from the email template subject line for the new ticket
autoresponse and the new message autoresponse. Previously, the ticket number
with a prefixed hash in brackets was used to identify which ticket thread an
email was in reference to.

With this patch, the email message-id (which was already kept on file) is
sent in the MIME "References" header. When a user responds to and
autoresponse email, the "References" will include this message-id in the
return email. The ticket thread is then matched up with the email based on
the message-id rather than the subject line.

Ticket numbers are still supported in the subject line, in the event that
non-compliant email clients do not properly include the References header.

Fixes #683

Search results on the client interface for knowledgebase articles would
previous show hits for the internal (private) knowledgebase articles. The
subjects were shown but the articles were not viewable.

This addresses the SQL logic issue causing the private hits to be shown.

Also raise awareness of the hosted platform for osTicket

Also include
  * username validation -- no spaces or weird chars
  * no longer base64 encoded sha1-hex hash for CSRF token
  * refresh login page every two hours to keep session active