If navigating back to the ticket queue (after closing a ticket, for
instance), return to the queue previously viewed.

This allows detection of some incorrectly-typed email addresses before
tickets, users, and agents are created.

The PHP session system will hold a lock on the session until it is released.
It is important to release the session before performing long-running tasks
so that further requests from the agent are not locked.

Unassign tickets on transfer when the target department has assignment
restriction and the assigned staff is not a member.

Disable claim (quick self-assignment) when above restriction is in effect.

This addresses the issue where the advanced search dialog was submitted
before the date picker inputs were fixed up. This problem arises out of a
difference between the agent's date formatting preference and the server
being able to process that date format. The date pickers are reformated to
yyyy-mm-dd before submission; however, for advanced search, the submission
happened before the inputs were fixed up.

This patch addresses the issue by manually fixing up the date in the
submission routine for the advanced search dialog.

This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.

This patch sends updated session cookies to the browser when the session is
refreshed on the server. This allows the session cookie to expire on the
browser at the same time the session timeout occurs at the server. In the
event the session timeout is configured in osTicket not to expire, the
cookie will expire after seven days on the client browser, and will expire
in PHP when it is garbage collected sometime after 86400 seconds after the
time last refresh time.

Using this method, the session will never expire if the session timeout in
osTicket is configured to 0, and the session is refreshed at least daily.

This script adds a single download script, 'file.php', which provides access
to files of all types to all users. It uses a HMAC signature system with an
expires time, which allows signed URLs to be sent to external users.

This also fixes an issue with the Http::cacheable() method, where the
last-modified and Etag headers were not properly compared, which resulted in
permanent cache misses by the client.

Stop trampolining links via l.php. It was necessary before in order to avoid
the potential of leaking ticket number & email. The authentication mechanism
in place now redirects on successful login.

This patch removes the selection of canned responses as well as the canned
responses navigation page from the ui when the canned responses feature is
disabled.

Since the automatic lock was being acquired but not passed to the autoLock
system, the automatically acquired lock was not being release on away
navigation.

This patch addresses the issue by passing the automatically acquired lock id
to the autoLock system on ticket-view page load and change the ::Init()
method so that the lock id is not cleared with the ::Init() method is called
by the page load.

And fix an error message typo

Auto-detect inline attachments
Attached keepers to canned reply