Also, give a "Browser not supported" error for browsers which do not support
the Blob constructor.

filter: Fix filtering by list item properties

Reviewed-By: Peter Rotich <peter@osticket.com>

login: Require CSRF token to login

Reviewed-By: Peter Rotich <peter@osticket.com>

This patch fixes a vulnerable scenario, where sequential login attempts can
be made without an existing session, and without a valid CSRF token. This
scenario lends itself well for brute force password attempts, because
attackers can avoid using a session and still send requests to determine if
a set of credentials are valid. This vector also avoids the authentication
lockout mechanism, because it requires an ongoing session to shutdown the
requests.

This patch addresses the issue by requiring a session and a valid CSRF token
generated by the server and placed in the session to be submitted with the
credentials. Therefore, an existing session and a Cookie header are required
to process a login attempt. Secondly, the CSRF token will be changed on the
server after each login processed. Therefore, for each session, a subsequent
GET request would be necessary before submitting another login attempt.

email: Message-Id header with user and thread ID

Reviewed-By: Peter Rotich <peter@osticket.com>

Session never expires

Reviewed-By: Peter Rotich <peter@osticket.com>

logo: Allow customized SCP logo

Reviewed-By: Peter Rotich <peter@osticket.com>

Fix very predictable random data on some platforms

Reviewed-By: Peter Rotich <peter@osticket.com>

Revert "Disable auto-responses on staff created tickets"

thread: Remove collaborators when removing the thread

Reviewed-By: Peter Rotich <peter@osticket.com>

charset: Normalize charsets

Reviewed-By: Jared Hancock <jared@osticket.com>

References:
https://bugs.php.net/bug.php?id=43200
http://stackoverflow.com/a/22521203

Also try harder to send a relevant In-Reply-To and References header back
to the client with the email message.

This pull request adds a cleanup util for bogus and invalid charsets, mostly
added by a nameless company out of Redmond, WA.

Fix SLA link in help tips

Reviewed-By: Peter Rotich <peter@osticket.com>

This patch sends updated session cookies to the browser when the session is
refreshed on the server. This allows the session cookie to expire on the
browser at the same time the session timeout occurs at the server. In the
event the session timeout is configured in osTicket not to expire, the
cookie will expire after seven days on the client browser, and will expire
in PHP when it is garbage collected sometime after 86400 seconds after the
time last refresh time.

Using this method, the session will never expire if the session timeout in
osTicket is configured to 0, and the session is refreshed at least daily.

Fixes https://github.com/osTicket/osTicket-1.8/issues/1673

Misc::randCode does not generate significantly random data for Windows
platforms with a local database. This stems from the random seed using the
milliseconds from the current time of day and the database connection time,
in microseconds. Because Windows has especially poor sub-second time
resolution via the microtime() function, the seed does not have many
variations.

This patch addresses the issue by using the included Crypto::random()
function as a source of random data rather than the mt_rand() function, as
it uses native cryptographic random data generators if possible to generate
the data, and uses microtime() as a fallback if no other source of random
data is available on the platform.

Tested with 1.9.4 - found no other / related / new issues due to this change of the z-index.

Fixes: https://github.com/osTicket/osTicket-1.8/issues/980
Fixes: https://github.com/osTicket/osTicket-1.8/issues/1411

This fixes a slight issue where the team members would never be included on
the new message alert. Now, the system will send to either the assigned
staff member, if any, or the members of the assigned team, again, if any.