Web browsers don't appreciate a cookie domain without any dots. This patch
detects the originally-requested domain for the request. If the domain does
not contain dots (such as 'localhost' or the name of a local server on your
network defined in your hosts file), no cookie domain is sent.

The greatest symptom of this issue what the illustrious 'Invalid CSRF token'
seen repeatedly on the scp login page. The reason is that the browser was
rejecting the cookie from the server.

Fixes #677, #672, #653

Previously, filenames saved in the database had the spaces changed for
underbars; however, other characters (such as commas and non-ascii
characters) presented issues with user agents downloading the attachments.

This patch handles the filename encoding for two special cases -- internet
explorer and safari, and provides the semi-standard RFC5987 method of
encoding the filename for the remaining browsers.

Attachments are no longer forced to be downloaded. It is up to the browser
to decide if the attachment should be shown in the browser or downloaded.

This patch also fixes a slight bug in the caching mechanism for downloads
concerning the last-modified time. The date sent to the browser was not
properly converted to GMT time, although the server claimed that it was.

Historically, ROOT_PATH and ROOT_DIR contained the same value; however,
ROOT_PATH now points to the URL path where osTicket is installed, whereas
ROOT_DIR points to the file system location where osTicket is installed.

When an admin logs in to upgrade to 1.7.1 and further from a version
pervious to 1.7.1, the system will attempt to clear password reset tokens
from the config table, which hasn't been upgraded yet to the namespaced
version from 1.7.1

Some security inspection appliances and load balancers don't appreciate
something in the HTTP headers that is not a valid HTTP header. Furthermore,
the browser needs the Content-Type header to identify that the image is not
the PHP default of text/html

Files _MUST_ be readable by Apache or IIS in order for the attachment
migration to complete and properly keep all attachments between osTicket 1.6
and 1.7

With ./, if called from knowledge base, it searches incorrectly offline.php in that folder.

Don't leak private FAQ titles

Reviewed-By: Peter Rotich <peter@osticket.com>

Encourage sign-ups on the mailing list

Reviewed-By: Peter Rotich <peter@osticket.com>

Don't log the user out after changing account info

Reviewed-By: Peter Rotich <peter@osticket.com>

Require encryption.

Fixes #683

Search results on the client interface for knowledgebase articles would
previous show hits for the internal (private) knowledgebase articles. The
subjects were shown but the articles were not viewable.

This addresses the SQL logic issue causing the private hits to be shown.

overwrite vs. override

Reviewed-By: Jared Hancock <jared@osticket.com>

Also raise awareness of the hosted platform for osTicket

Also include
  * username validation -- no spaces or weird chars
  * no longer base64 encoded sha1-hex hash for CSRF token
  * refresh login page every two hours to keep session active

Support Reply-To headers in ticket filters

Reviewed-By: Peter Rotich <peter@osticket.com>

Fix incorrect file attachment if filetype is rejected
Reviewed-By: Peter Rotich <peter@osticket.com>

Add files new to 1.7.1 to the download package

Reviewed-By: Peter Rotich <peter@osticket.com>

Copy typo on the site-pages management

Reviewed-By: Jared Hancock <jared@osticket.com>

 * web.config
 * pages/{.htaccess,index.php}

Fixes #667

The email filtering feature supports a 'Use Reply-To' feature, but seems to
never have been implemented. This patch officially supports using the
Reply-To email header as the From header for emails matching the filter.