Oops: Variable Overwrite

This commit fixes and issue where the $key variable was overwritten when creating a foreach loop. Since we didn't actually need the key, it can be removed from the loop.

Issue: DB Error #1064 Queue Counts

session: Destroy Warning

This addresses the `session_destroy()` warning many people are receiving
with PHP 7+. The warning states `PHP Warning:  session_destroy(): Session
callback expects true/false return value`. This is because our session
destroy method does not always return true/false, sometimes it returns
`int(1)`. This adds a check to see if the session was not deleted
successfully, if not it returns false, otherwise it returns true. This will
ensure `session_destroy()` always receives a true/false return value.

This commit fixes an error where queue counts cannot be returned if the config saved for a queue is invalid. We try to build a query that does a count based on the criteria saved in the config, so when we try to build the query for an incorrectly saved config, the query we try to write looks something like this:

COUNT(DISTINCT CASE WHEN  THEN A1.`ticket_id` END) AS `q15`

Rather than trying to do a count for these, we should just skip over them so that no error is thrown since there is no way we would be able to count it anyway.

It is also possible for there to be more than 1 criteria defined, and if one of them is wrong, the same error will be thrown. We can check to see if there are multiple criteria, and if one is empty, we can skip that count as well.

Inline Edit Fields With Data Integrity

This commit adds the 'Required to close tickets' warning to inline edit fields if they are configured with the Data Integrity box checked (Require entry to close a thread)

Hotfix: File data callback

Commit 4dfb77ca failed to fully address the issue referenced.

Security Vulnerabilities

This commit addresses possible Arbitrary Method Invocation via AJAX file upload.

To save some memory osTicket uses callback method to fetch the content of a
file on mail fetch. $file['data'] was overloaded as a callback by simply
checking if the content is callable, resulting in method invocation when
content of the uploaded file is a callable.

The address the issue we're not using locally set callback parameter / method.

This commit addresses a vulnerability on how osTicket authenticates
auth-tokens used for auto-login to view ticket status.

The validation process failed to handle unexpected type handling issue
making it possible for users to exploit type juggling and authenticate using
only email and ticket number.

This commit mitigates insufficient validation in mPDF library that enables a
malicious intruder to inject arbitrary PHP objects via css @import utility
that may result in Remote Code Execution.

Dialog: Highlight tab with error(s)

This commit addresses javascript error - on error - on a dialog modal with tab content.

format: Clickable URLs

This addresses issue 5176 where some Plaintext URLs are not completely
clickable. This is due to the regex check for clickable URLs not including a
few characters. This adds `[`, `]`, and `/` as matchable characters so urls
like
`https://test.com/cart/add?route=marketplace/extension/info&product[123]=3`
will be completely clickable.

Queue Pages Default

Remove page limit parenthesis

Queue Pages Default

Default to the page limit when the queue returns 0 results instead of 3 pages.

Add Time boundaries to Between date range

The date picker already has the user's timezone factored in to the
selection. Removing user's timezone allows for admin set queues to maintain
the original timezone selection.

Clear Overdue Flag on Due Date Change

Add time boundaries to between data range dates and convert results to
database timezone.

Clear overdue flag on SLA / Duedate change that results in a duedate in the
future.

Feature: Mark as Answered permission option

db: System Time Zone

This updates the change made in d227d54e to use the system time zone rather
than the global time zone.

db: System Time Zone

This addresses issue 5156 where using something like AWS RDS shows incorrect
timezone for the database. In systems like AWS RDS you cannot set the
`@@global.system_time_zone` variable to anything other than `UTC` which is a
problem. This updates `db_connect` to set the session timezone to the global
timezone for every connection. This will ensure the appropriate timezone is
used in subsequent methods.