This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.

References:
https://bugs.php.net/bug.php?id=43200
http://stackoverflow.com/a/22521203

Also try harder to send a relevant In-Reply-To and References header back
to the client with the email message.

This pull request adds a cleanup util for bogus and invalid charsets, mostly
added by a nameless company out of Redmond, WA.

This patch sends updated session cookies to the browser when the session is
refreshed on the server. This allows the session cookie to expire on the
browser at the same time the session timeout occurs at the server. In the
event the session timeout is configured in osTicket not to expire, the
cookie will expire after seven days on the client browser, and will expire
in PHP when it is garbage collected sometime after 86400 seconds after the
time last refresh time.

Using this method, the session will never expire if the session timeout in
osTicket is configured to 0, and the session is refreshed at least daily.

Fixes https://github.com/osTicket/osTicket-1.8/issues/1673

Misc::randCode does not generate significantly random data for Windows
platforms with a local database. This stems from the random seed using the
milliseconds from the current time of day and the database connection time,
in microseconds. Because Windows has especially poor sub-second time
resolution via the microtime() function, the seed does not have many
variations.

This patch addresses the issue by using the included Crypto::random()
function as a source of random data rather than the mt_rand() function, as
it uses native cryptographic random data generators if possible to generate
the data, and uses microtime() as a fallback if no other source of random
data is available on the platform.

This fixes a slight issue where the team members would never be included on
the new message alert. Now, the system will send to either the assigned
staff member, if any, or the members of the assigned team, again, if any.

Files upgraded from versions of osTicket prior to 1.9.1 did not have a
`signature` field in the database. For caching purposes in generating the
Etag HTTP header, the getSignature function cascades through the getKey
method. This may be inconsistent in the signed URL creation.

This patch adds a cascade flag to the getSignature method so the cascading
will not happen unless specifically requested.

Don't add to endTime if not already set

Show the form title on edit instead of "Custom Form" - which can be
misleading since the user might be editing a built-in form.

If a new ticket is assigned to both an individual agent and a team, do not
send the email alert to the team lead or the team members.

This patch changes the ticket filter system so that it can be recursively
looped to allow for banning and matching on the reply-to address and name.

This script adds a single download script, 'file.php', which provides access
to files of all types to all users. It uses a HMAC signature system with an
expires time, which allows signed URLs to be sent to external users.

This also fixes an issue with the Http::cacheable() method, where the
last-modified and Etag headers were not properly compared, which resulted in
permanent cache misses by the client.

Use http::build_query instead of inline urlencode

  * Fix incorrect mapping to user email address
  * Fix early rejecting of tickets — even if a filter earlier in the
    matching filter list had "stop on match" set
  * Fix ::stopOnMatch referring to incorrect db field

The new logic abandons the early rejection logic in ticket create. Instead,
the normal validation is completed as usual. Thereafter, the filter is
initialized and applied to the ticket. Upon rejection, a RejectedException
is thrown by the ::apply() method of the TicketFilter. The Ticket::create()
method will handle the exception and reject the ticket.

Stop trampolining links via l.php. It was necessary before in order to avoid
the potential of leaking ticket number & email. The authentication mechanism
in place now redirects on successful login.

This is necessary so we can sanitize/encode inputs.

This patch changes the default formatting for text bodies used in emails,
ticket thread, and canned response quoting so that white-space in text
bodies is properly preserved. Previously, the text was treated as raw HTML
and was not properly escaped, nor was the original whitespace preserved.