Merge tag 'v1.9.6' into develop

v1.9.6

Maintenance release for the osTicket 1.9 series

Enhancements
  * New Message-Id system allowing for better threading in mail clients (osTicket#1549, osTicket#1730)
  * Fix forced session expiration after 24 hours (osTicket#1677)
  * Staff panel logo is customizable (osTicket#1718)
  * Priority fields have a selectable default (instead of system default) (osTicket#1732)
  * Import/Export support for file contents via cli (osTicket#1661)

Improvements
  * Fix broken links in documentation, thanks @Chefkeks (osTicket#1675)
  * Fix handling of some Redmond-specific character set encoding names (osTicket#1698)
  * Include the user's name in the "To" field of outbound email (osTicket#1549)
  * Delete collaborators when deleting tickets (osTicket#1709)
  * Fix regression preventing auto-responses for staff new tickets (osTicket#1712)
  * Fix empty export if ticket details form has multiple priority fields (osTicket#1732)
  * Fix filtering by list item properties in ticket filters (osTicket#1741)
  * Fix missing icon for "add new filter", thanks @Chefkeks (osTicket#1735)
  * Support Firefox v6 - v12 on the file drop widget (osTicket#1776)
  * Show update errors on access templates (osTicket#1778)
  * Allow empty staff login banner on update (osTicket#1778)
  * Fix corruption of text thread bodies for third-party collaborator email posts (osTicket#1794)
  * Add some hidden template variables to pop out content (osTicket#1781)
  * Fix missing validation for user name and email address (osTicket#1816, eb8858e)
  * Turn off search indexing when complete, disable incorrectly implemented work breaking, squelch error 1062 email from search backend (afa9692)
  * Fix possible out of memory crash in custom forms (osTicket#1707, 0440111)

Performance and Security
  * Fix generation of random data on Windows® platforms (osTicket#1672)
  * Fix possible DoS and brute force on login pages (osTicket#1727)
  * Fix possible redirect away from HTTPS on client login page, thanks @ldrumm (osTicket#1782)

README.md

@@ -103,6 +103,10 @@ project and request to have your language added. Languages which reach 100%
 translated are are significantly reviewed will be made available on the
 osTicket download page.
 
+The software can also be translated in place in our [JIPT site]
+(http://jipt.i18n.osticket.com). Once you have a Crowdin account, login and
+translate the software in your browser!
+
 Localizing strings in new code requires usage of a [few rules](setup/doc/i18n.md).
 
 License

WHATSNEW.md

@@ -1,3 +1,102 @@
+osTicket v1.9.6
+===============
+### Enhancements
+  * New Message-Id system allowing for better threading in mail clients (#1549,
+    #1730)
+  * Fix forced session expiration after 24 hours (#1677)
+  * Staff panel logo is customizable (#1718)
+  * Priority fields have a selectable default (instead of system default) (#1732)
+  * Import/Export support for file contents via cli (#1661)
+
+### Improvements
+  * Fix broken links in documentation, thanks @Chefkeks (#1675)
+  * Fix handling of some Redmond-specific character set encoding names (#1698)
+  * Include the users name in the "To" field of outbound email (#1549)
+  * Delete collaborators when deleting tickets (#1709)
+  * Fix regression preventing auto-responses for staff new tickets (#1712)
+  * Fix empty export if ticket details form has multiple priority fields (#1732)
+  * Fix filtering by list item properties in ticket filters (#1741)
+  * Fix missing icon for "add new filter", thanks @Chefkeks (#1735)
+  * Support Firefox v6 - v12 on the file drop widget (#1776)
+  * Show update errors on access templates (#1778)
+  * Allow empty staff login banner on update (#1778)
+  * Fix corruption of text thread bodies for third-party collaborator email
+    posts (#1794)
+  * Add some hidden template variables to pop out content (#1781)
+  * Fix missing validation for user name and email address (#1816, eb8858e)
+  * Turn off search indexing when complete, disable incorrectly implemented
+    work breaking, squelch error 1062 email from search backend (afa9692)
+  * Fix possible out of memory crash in custom forms (#1707, 0440111)
+
+### Performance and Security
+  * Fix generation of random data on Windows® platforms (#1672)
+  * Fix possible DoS and brute force on login pages (#1727)
+  * Fix possible redirect away from HTTPS on client login page, thanks @ldrumm
+    (#1782)
+
+osTicket v1.9.5.1
+=================
+### Improvements
+  * Fix file.php to serve files added to system before osTicket v1.9.1
+  * Fix file.php to serve files if client panel or system is offline
+  * Fix popover download of inline images
+  * Avoid de-duplicating zero-length files
+  * Send new message alert to team members if not assigned to an agent
+  * Fix import of users to organization not setting the organization
+  * Fix redactor toolbar showing over the date picker (#1450, thanks @Chefkeks)
+
+### Performance and Security
+  * Fix XSS vulnerability in client language selection
+
+osTicket v1.9.5
+===============
+### Enhancements
+  * Add support for organization vars in templates
+    (`%{ticket.user.organization...}`) (#1561)
+  * Canned responses feature can now be disabled (#1562)
+  * Drop link redirection through l.php (#1640)
+  * Use unified file download script (#1641). Links can now be shared with
+    external users and accessed without authenticating.
+  * Ticket filters support matching and banning based on the Reply-To user
+    information (#1645)
+
+### Improvements
+  * Remove custom data when users are deleted (#1492)
+  * Fix matching of ticket number in subject (regression in v1.9.4) (#1486)
+  * Several minor translatable strings (#1441, #1489, #1560), thanks @Chefkeks
+  * Fix invalid UTF-8 chars PDF error for empty thread title (regression in
+    v1.9.4) (#1512)
+  * Consider auto response checkbox and department setting for new ticket by
+    staff (#1509)
+  * Fix PHP crash if `finfo` extension is missing (#1437)
+  * Fix export of choice field items (#1436)
+  * Properly handle alert and auto response flags from API (#1435), thanks
+    @stevepacker
+  * Fix current value of choice fields if set to boolean false (#1466)
+  * Do not reopen tickets for automated responses (#1529)
+  * Properly handle uppercase file extensions in file field configuration
+    (#1549)
+  * Fix release of ticket lock when navigating away from ticket view (#1552)
+  * Display FAQ article consistently on client portal (#1553)
+  * Avoid wrapping password reset URLs on text emails (#1558)
+  * Fix field requirement for clients when only required for agents (#1559)
+  * Fix language selection for new email template group (#1563)
+  * Fix incorrect status of new ticket if opened as `closed` and assigning to
+    an agent (#1565)
+  * Forbid disabling the only active administrator (#1569)
+  * Searching for tickets searches to midnight of the end date (#1572), thanks
+    @grintor
+  * Fix rejection of tickets by filter, even if a previous matching filter
+    would stop on match (#1644)
+  * Fix matching of `User / Email Address` in ticket filters (#1644)
+  * Properly HTML escape thread bodies when quoting (#1637)
+  * Use department email for agent alerts (#1555)
+  * Skip team assignment alert on new ticket if assigned to an agent (fddb3c7)
+  * Use custom form name as the page title when editing (#1646)
+
+### Performance and Security
+  * Fix possible XSS vulnerability in sortable table view pages (#1639)
+
 osTicket v1.9.4
 ===============
 ### Major New Features

api/api.inc.php

@@ -17,7 +17,8 @@
 
 // Disable sessions for the API. API should be considered stateless and
 // shouldn't chew up database records to store sessions
-define('DISABLE_SESSION', true);
+if (!defined('DISABLE_SESSION'))
+    define('DISABLE_SESSION', true);
 
 require_once('../main.inc.php');
 require_once(INCLUDE_DIR.'class.http.php');

api/http.php

@@ -13,6 +13,10 @@
 
     vim: expandtab sw=4 ts=4 sts=4:
 **********************************************************************/
+// Use sessions — it's important for SSO authentication, which uses
+// /api/auth/ext
+define('DISABLE_SESSION', false);
+
 require 'api.inc.php';
 
 # Include the main api urls

assets/default/css/theme.css

@@ -300,9 +300,20 @@ body {
   height: 71px;
   padding: 0 20px;
 }
-#header #logo {
-  width: 220px;
-  height: 71px;
+#logo {
+    height: 100%;
+}
+#header #logo img {
+  max-height: 65px;
+  max-width: 380px;
+  width: auto;
+  height: auto;
+  vertical-align: middle;
+}
+.valign-helper {
+    height: 100%;
+    display: inline-block;
+    vertical-align: middle;
 }
 #header p {
   width: 400px;
@@ -398,6 +409,7 @@ body {
   text-indent: -9999px;
   margin: 0 auto;
   background: url('../images/poweredby.png') top left no-repeat;
+  background-size: auto 20px;
 }
 .front-page-button {
 }

client.inc.php

@@ -29,7 +29,7 @@
 define('ASSETS_PATH',ROOT_PATH.'assets/default/');
 
 //Check the status of the HelpDesk.
-if (!in_array(strtolower(basename($_SERVER['SCRIPT_NAME'])), array('logo.php',))
+if (!in_array(strtolower(basename($_SERVER['SCRIPT_NAME'])), array('logo.php','file.php'))
         && !(is_object($ost) && $ost->isSystemOnline())) {
     include(ROOT_DIR.'offline.php');
     exit;
@@ -48,7 +48,8 @@
 $thisclient = UserAuthenticationBackend::getUser();
 
 if (isset($_GET['lang']) && $_GET['lang']) {
-    $_SESSION['client:lang'] = $_GET['lang'];
+    if (Internationalization::getLanguageInfo($_GET['lang']))
+        $_SESSION['client:lang'] = $_GET['lang'];
 }
 
 // Bootstrap gettext translations as early as possible, but after attempting

css/redactor.css

@@ -327,7 +327,7 @@ body .redactor_box_fullscreen {
   background: #fff;
   border: none;
   box-shadow: 0 1px 2px rgba(0, 0, 0, 0.2);
-  z-index: 3;
+  z-index: 1;
 }
 .redactor_toolbar:after {
   content: "";

css/rtl.css

@@ -86,7 +86,7 @@
     border-left: none;
     border-right: 1px solid rgba(0,0,0,0.7);
 }
-.rtl [class^="icon-"].pull-left, [class*=" icon-"].pull-left {
+.rtl [class^="icon-"].pull-left, [class*=" icon-"].pull-right {
     margin-right: 0;
     margin-left: 0.3em;
 }

file.php

@@ -0,0 +1,39 @@
+<?php
+/*********************************************************************
+    file.php
+
+    File download facilitator for clients
+
+    Peter Rotich <peter@osticket.com>
+    Jared Hancock <jared@osticket.com>
+    Copyright (c)  2006-2014 osTicket
+    http://www.osticket.com
+
+    Released under the GNU General Public License WITHOUT ANY WARRANTY.
+    See LICENSE.TXT for details.
+
+    vim: expandtab sw=4 ts=4 sts=4:
+**********************************************************************/
+require('client.inc.php');
+require_once(INCLUDE_DIR.'class.file.php');
+
+//Basic checks
+if (!$_GET['key']
+    || !$_GET['signature']
+    || !$_GET['expires']
+    || !($file = AttachmentFile::lookup($_GET['key']))
+) {
+    Http::response(404, __('Unknown or invalid file'));
+}
+
+// Validate session access hash - we want to make sure the link is FRESH!
+// and the user has access to the parent ticket!!
+if ($file->verifySignature($_GET['signature'], $_GET['expires'])) {
+    if (($s = @$_GET['s']) && strpos($file->getType(), 'image/') === 0)
+        return $file->display($s);
+
+    // Download the file..
+    $file->download(@$_GET['disposition'] ?: false, $_GET['expires']);
+}
+// else
+Http::response(404, __('Unknown or invalid file'));