This addresses the issue where the advanced search dialog was submitted
before the date picker inputs were fixed up. This problem arises out of a
difference between the agent's date formatting preference and the server
being able to process that date format. The date pickers are reformated to
yyyy-mm-dd before submission; however, for advanced search, the submission
happened before the inputs were fixed up.

This patch addresses the issue by manually fixing up the date in the
submission routine for the advanced search dialog.

This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.

This patch sends updated session cookies to the browser when the session is
refreshed on the server. This allows the session cookie to expire on the
browser at the same time the session timeout occurs at the server. In the
event the session timeout is configured in osTicket not to expire, the
cookie will expire after seven days on the client browser, and will expire
in PHP when it is garbage collected sometime after 86400 seconds after the
time last refresh time.

Using this method, the session will never expire if the session timeout in
osTicket is configured to 0, and the session is refreshed at least daily.

This script adds a single download script, 'file.php', which provides access
to files of all types to all users. It uses a HMAC signature system with an
expires time, which allows signed URLs to be sent to external users.

This also fixes an issue with the Http::cacheable() method, where the
last-modified and Etag headers were not properly compared, which resulted in
permanent cache misses by the client.

Stop trampolining links via l.php. It was necessary before in order to avoid
the potential of leaking ticket number & email. The authentication mechanism
in place now redirects on successful login.

This patch removes the selection of canned responses as well as the canned
responses navigation page from the ui when the canned responses feature is
disabled.

Since the automatic lock was being acquired but not passed to the autoLock
system, the automatically acquired lock was not being release on away
navigation.

This patch addresses the issue by passing the automatically acquired lock id
to the autoLock system on ticket-view page load and change the ::Init()
method so that the lock id is not cleared with the ::Init() method is called
by the page load.

And fix an error message typo

Auto-detect inline attachments
Attached keepers to canned reply

The statistics module on the dashboard was using the incorrect query parameter
'stop'. This meant that the module was loading all tickets from the report start
date to the present day. This commit fixes this by using the 'period' parameter
instead.

  * Use the title of "Information" with internal tag of "info"
  * Add "Visibility" column to UI and retire "Required" and "Internal"
    columns
  * Add visibility selection to new fields and show visibility to the user
    information fields when displayed on the ticket details form
  * Make the visibility settings translatable
  * Use constants internally for visibility configuration detection
  * Use a larger input when managing the information HTML content
  * Fix validation errors for new fields
    * Enforce new field name uniqueness
    * Enforce new field name character validation

This is necessary to avoid confusion vs. closed state.

This allows fields to specify a visibility constraint that will be evaluated
in real time in the browser to automatically show and hide fields that
should be hidden based on values of other fields in the same form.

Validation is not performed on fields server-side if they are considered
invisible when submitted.

In some cases, a POST might be sent to the server and there be no draft. In
such a case, neither the draft nor the body of the page can be inspected for
images. Even worse, in some cases the previous images might be unlinked from
the article without being relinked. Therefore, the images will no longer be
linked to the page and will likely be purged from the system.

Show different messages and placeholder on ticket(s) deletions