This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.

Add other locations as well a failsafe for the htmlentities() call

Multilanguage Support via gettext

- added gettext encapsulations to all texts i thought necessary
- added fallback function for the case that the gettext extension isn't loaded
- added browser language detection
- added gettext to the list of optional extensions in setup
- rewritten some of the texts to use sprintf instead of appending strings
- added german translation file
- removed mark_overdue-confirm from cannedresponses.inc.php

extend multi language support and a fex fixes

- Better detection of translation files
- Added functionality to redirect language codes (see redirecting
language codes)
- Ticket Status can be translated
- The Datepicker can be translated
- Extended functionality of 'testlang.php' to show what language code is
used to translate

Forgotten to apply a patch from RC5 to RC6

- Forgotten to change $var to $vars in line 380 of class.mailfetch.php
- Removed unneeded comment

Added php_gettext as primary translation engine

- Added php_gettext support (thanks to Danilo Segan and Steven
Armstrong)
- php_gettext is now the primary translation engine
- Extended language detection functionality

Add error/misconfiguration checks and fix undefined variables

Starting with osTicket 1.8.1, users must receive an email and follow a link
in the email to get access to the ticket. With this new option, the email
verification step can be avoided in osTicket 1.9, because access is now only
granted to exactly one ticket.

Regardless of the configuration of the help desk registration, allow users
to receive ticket links via email. This patch enables the display and
operation of the ticket access link unless a user login is requested by the
user or specifically required by the system.

This adds a feature for remote authentication methods for clients, such as
LDAP, which will, after successful authentication, yield a
ClientCreateRequest rather than an AuthenticatedUser. The
ClientCreateRequest represents a successful authentication and user
information lookup for a remote client. The client is then presented with a
registration page where their information for their account in the local
system can be reviewed prior to the account creation. Once created, the
client account is confirmed without an email confirmation and is logged in
immediately without reentering a password.

This is the mode of the system if account registration is disabled

Instead of always showing the tickets page

Ticket owner as well as collaborators can request access link by entering
email and ticket number.

Administrators are allowed to upload one or more logos and then select from
the uploaded logos to set one for the client site. Logos can also be deleted
on settings->pages submission

Use the improved login function
Redirect to ticket view on successfull login.

change tryLogin to simply login

And correct several undefined function errors from several source files. So
while function names in PHP are considered case-insensitive, it still makes
sense to use consistent camel casing for both defining and calling methods.
The lint test searches the code base for method calls, and then searches the
code base again looking for a function definition matching the name of the
function invoked. It's not failsafe, because it doesn't detect the class
from which the method should belong, so it's likely to have false negatives.
Furthermore, it won't work well for PHP 5 where several classes are built
into PHP (and aren't searchable in the osTicket code base).

Remove the include/staff/api.inc.php as it no longer appears to be used (and
contains references to undefined methods).