Merge branch '1.17.x' into develop

Author: JediKev

.gitignore

@@ -7,6 +7,8 @@ setup/cli/modules/importer
 .vagrant
 ._.DS_Store
 Vagrantfile
+# VS Code workspace files
+*.code-workspace
 
 # Staging directory used for packaging script
 stage

README.md

@@ -22,13 +22,13 @@ easy to setup and use. The best part is, it's completely free.
 Requirements
 ------------
   * HTTP server running Microsoft® IIS or Apache
-  * PHP version 8.1 - 8.2 (8.2 recommended)
+  * PHP version 8.2 - 8.4 (8.4 recommended)
   * mysqli extension for PHP
   * MySQL database version 5.5 (or greater)
 
 ### Recommendations
-  * fileinfo, gd, gettext, imap, intl, json, mbstring, Zend OPcache, phar,
-    xml, xml-dom, and zip extensions for PHP
+  * ctype, fileinfo, gd, gettext, iconv, imap, intl, json, mbstring,
+    Zend OPcache, phar, xml, xml-dom, and zip extensions for PHP
   * APCu module enabled and configured for PHP
 
 Deployment

WHATSNEW.md

@@ -16,6 +16,67 @@ osTicket v1.18
 * Database: Change Plugin Name to varchar(255) (aac546d0)
 * update: MAJOR_VERSION (3eac42e5)
 
+osTicket v1.17.6
+================
+### Improvements
+* Fix PR #6283: DB column value of "local backend" is 'client' and not 'local' (7805cd94)
+* i18n: Tasks Department ID Missing (00bc6b1b)
+* issue: Checkbox Template Variable (09de9587)
+* Fixed mailfetch error message (cd4717a1)
+* issue: fix square characters being printed when printing tickets that's using languages like Thai (872a6492, 25844034)
+* issue: Position Styling.. Again (7f03a64b, b843fb15)
+* mysqli: Multi-Host Failure (0a8475fb)
+* issue: Task Last Respondent (5277c7ab)
+* i18n: Schedules getDays() (f2facda3)
+* issue: Referred Closed Tickets (a7b0711d)
+* php: Update Prerequisites (d331a44c)
+* i18n: Lang URL Param (fece6ff7)
+* mysql: Update Minimum Version (317ab967)
+* Fix ajax path for AddRemoteCollaborator (6df6cd98)
+* Fix staff mobile field class (f8455c82)
+* patches: Latest 05/28/2024 (2d65cb77, 36b4c94f, 854cf47c, d9fe3ada)
+* upgrade: Laminas-Mail (2.25.1) (c0a74162, 939a278c, f658268d)
+* hotfix: Fix getRawEmail() (c26d840c, 1eb71197)
+* issue: Linked Icon annotation (6c096cce)
+* fix(email): fix case sensitivity in "Action" header retrieval (07843598)
+* Upgrade mimeDecode.php from v1.48 to v1.5.6 2016-08-28 (cbd78ac8)
+* mailer: sendmail() Failure (14e2057b)
+* php: 8.3 Support (a3931f46, b38db372, fea5e1e0, 387a1c04, 136d372e)
+* issue: Ticket Relations (9426b2dd)
+* issue: Basic Search Selector (74b8bd0e)
+* mail: Reapply Memory Optimization (eaaa64d9, ab76ffe8)
+* php: iconv Recommendation (33ecc3a0)
+* Ignore VS Code Workspace Files (0da2e0e0)
+* issue: Email Remote Backend Name (b54dd584)
+* issue: Safari Response Content Disposition (64a5df68)
+* api: DueDate and Other Errors (14814ae2)
+* issue: Multiselect List Export (f3bf8553)
+* issue: Image Annotation (aeeb2850)
+* user: List Import (fec70c4a)
+* issue: Latest SQL Warnings (9bdfde5a)
+* fields: Variable Name Validation (0724d1ad)
+* issue: Transfer Empty Comments Var (ed87b257)
+* update: Composer symfony/process (59f25918)
+* issue: Client ACL Staff File Download (8255b2e7)
+* update: PHP Deprecations & Warnings (84c14ace)
+* issue: User Lookup Umlaut (504b0bfb)
+* issue: Department Field User Import (5c2b6a5d)
+* Fix force-https auto-enabling on settings page (3805bbfd)
+* queue: getTotal Incorrect Counts (4f137dc2)
+* issue: Referred Tickets Incorrect Queue Counts (b42cad6f)
+* php: 8.4 Support (a4c0f674, b4938b99, 5e5a9ff5, fb9a39ba)
+* issue: Canned Response Access (b930a68b)
+* issue: Excessive Fetching Errors (c546a167)
+* issue: Plain-text Base64 (216ded32)
+* i18n: Crowdin API v2 (0ec6670d)
+* issue: iFrame Logins (3a5da66b)
+* issue: mimeDecode .eml Attachments (7fc3d8c2)
+* patches: Latest 11/18/2024 (416b548b, 245e7554)
+* Revert part of 0784359 commit (ec76a203)
+
+### Security
+* security: Latest Vulns 01/2025 (193f5fe0, ab6672fa)
+
 osTicket v1.17.5
 ================
 ### Improvements

bootstrap.php

@@ -22,8 +22,6 @@ static function init() {
 
         #Error reporting...Good idea to ENABLE error reporting to a file. i.e display_errors should be set to false
         $error_reporting = E_ALL & ~E_NOTICE & ~E_WARNING;
-        if (defined('E_STRICT')) # 5.4.0
-            $error_reporting &= ~E_STRICT;
         if (defined('E_DEPRECATED')) # 5.3.0
             $error_reporting &= ~(E_DEPRECATED | E_USER_DEPRECATED);
         error_reporting($error_reporting); //Respect whatever is set in php.ini (sysadmin knows better??)
@@ -214,15 +212,16 @@ static function connect() {
         $hosts = explode(',', DBHOST);
         foreach ($hosts as $host) {
             $ferror  = null;
-            if (!db_connect($host, DBUSER, DBPASS, $options)) {
-                $ferror = sprintf('Unable to connect to the database — %s',
-                        db_connect_error());
-            }elseif(!db_select_database(DBNAME)) {
-                $ferror = sprintf('Unknown or invalid database: %s',
-                        DBNAME);
-           }
-           // break if no error
-           if (!$ferror) break;
+            try {
+                if (!db_connect($host, DBUSER, DBPASS, $options))
+                    $ferror = sprintf('Unable to connect to the database — %s', db_connect_error());
+                elseif (!db_select_database(DBNAME))
+                    $ferror = sprintf('Unknown or invalid database: %s', DBNAME);
+            } catch (mysqli_sql_exception $e) {
+                $ferror = sprintf('Database error — %s', $e->getMessage());
+            }
+            // break if no error
+            if (!$ferror) break;
         }
 
         if ($ferror) //Fatal error
@@ -341,7 +340,7 @@ function mb_str_wc($str) {
     static function croak($message) {
         $msg = $message."\n\n".THISPAGE;
         osTicket\Mail\Mailer::sendmail(ADMIN_EMAIL, 'osTicket Fatal Error', $msg,
-            sprintf('"osTicket Alerts"<%s>', ADMIN_EMAIL));
+            sprintf('"osTicket Alerts" <%s>', ADMIN_EMAIL));
         //Display generic error to the user
         Http::response(500, "<b>Fatal Error:</b> Contact system administrator.");
     }

include/ajax.content.php

@@ -20,6 +20,11 @@
 class ContentAjaxAPI extends AjaxController {
 
     function syslog($id) {
+        global $thisstaff;
+
+        // Ensure there is a Staff and that they are an Administrator
+        if (!$thisstaff || !$thisstaff->isAdmin())
+            Http::response(403, 'Access Denied');
 
         if($id && ($log=Log::lookup($id))) {
             $content=sprintf('<div
@@ -142,8 +147,8 @@ function getSignature($type, $id=null) {
     function manageContent($id, $lang=false) {
         global $thisstaff, $cfg;
 
-        if (!$thisstaff)
-            Http::response(403, 'Login Required');
+        if (!$thisstaff || !$thisstaff->isAdmin())
+            Http::response(403, 'Access Denied');
 
         $content = Page::lookup($id, $lang);
 
@@ -168,8 +173,8 @@ function manageContent($id, $lang=false) {
     function manageNamedContent($type, $lang=false) {
         global $thisstaff, $cfg;
 
-        if (!$thisstaff)
-            Http::response(403, 'Login Required');
+        if (!$thisstaff || !$thisstaff->isAdmin())
+            Http::response(403, 'Access Denied');
 
         $langs = $cfg->getSecondaryLanguages();
 
@@ -182,8 +187,8 @@ function manageNamedContent($type, $lang=false) {
     function updateContent($id) {
         global $thisstaff;
 
-        if (!$thisstaff)
-            Http::response(403, 'Login Required');
+        if (!$thisstaff || !$thisstaff->isAdmin())
+            Http::response(403, 'Access Denied');
         elseif (!($content = Page::lookup($id)))
             Http::response(404, 'No such content');
 

include/ajax.draft.php

@@ -242,6 +242,7 @@ function uploadInlineImageEarlyClient($namespace) {
 
         $draft = Draft::create(array(
             'namespace' => $namespace,
+            'body' => ''
         ));
         if (!$draft->save())
             Http::response(500, 'Unable to create draft');
@@ -312,7 +313,8 @@ function uploadInlineImageEarly($namespace) {
             Http::response(403, "Login required for image upload");
 
         $draft = Draft::create(array(
-            'namespace' => $namespace
+            'namespace' => $namespace,
+            'body' => ''
         ));
         if (!$draft->save())
             Http::response(500, 'Unable to create draft');

include/ajax.users.php

@@ -323,7 +323,7 @@ function addRemoteUser($bk, $id) {
         elseif (!$bk || !$id)
             Http::response(422, 'Backend and user id required');
         elseif (!($backend = AuthenticationBackend::getSearchDirectoryBackend($bk))
-                || !($user_info = $backend->lookup($id)))
+                || !($user_info = $backend->lookup(html_entity_decode($id))))
             Http::response(404, 'User not found');
 
         $form = UserForm::getUserForm()->getForm($user_info);

include/api.tickets.php

@@ -43,15 +43,22 @@ function getRequestStructure($format, $data=null) {
             foreach ($form->getFields() as $field)
                 $supported[] = $field->get('name');
 
-        if(!strcasecmp($format, 'email')) {
-            $supported = array_merge($supported, array('header', 'mid',
-                'emailId', 'to-email-id', 'ticketId', 'reply-to', 'reply-to-name',
-                'in-reply-to', 'references', 'thread-type', 'system_emails',
-                'mailflags' => array('bounce', 'auto-reply', 'spam', 'viral'),
-                'recipients' => array('*' => array('name', 'email', 'source'))
-                ));
-
-            $supported['attachments']['*'][] = 'cid';
+        switch ($format) {
+            case 'email':
+                $supported = array_merge($supported, [
+                    'header', 'mid', 'emailId', 'to-email-id', 'ticketId', 'reply-to',
+                    'reply-to-name', 'in-reply-to', 'references', 'thread-type', 'system_emails',
+                    'mailflags' => ['bounce', 'auto-reply', 'spam', 'viral'],
+                    'recipients' => ['*' => ['name', 'email', 'source']]
+                ]);
+                $supported['attachments']['*'][] = 'cid';
+                break;
+            case 'json':
+            case 'xml':
+                $supported = array_merge($supported, [
+                    'duedate', 'slaId', 'staffId'
+                ]);
+                break;
         }
 
         return $supported;

include/class.api.php

@@ -387,8 +387,8 @@ function parse($stream) {
     function fixup($current) {
         global $cfg;
 
-		if($current['ticket'])
-			$current = $current['ticket'];
+        if (isset($current['ticket']))
+            $current = $current['ticket'];
 
         if (!is_array($current))
             return $current;

include/class.attachment.php

@@ -192,7 +192,7 @@ function save($file, $inline=true) {
     function getInlines($lang=false) { return $this->_getList(false, true, $lang); }
     function getSeparates($lang=false) { return $this->_getList(true, false, $lang); }
     function getAll($lang=false) { return $this->_getList(true, true, $lang); }
-    function count($lang=false) { return count($this->getSeparates($lang)); }
+    function count($lang=false): int { return count($this->getSeparates($lang)); }
 
     function _getList($separates=false, $inlines=false, $lang=false) {
         $base = $this;

include/class.canned.php

@@ -311,6 +311,12 @@ function update($vars,&$errors) {
 
         return true;
     }
+
+    function staffCanAccess($staff) {
+        if (!$staff instanceof Staff)
+            return false;
+        return (!$this->dept || (($role = $staff->getRole($this->dept)) && $role->hasPerm(Canned::PERM_MANAGE)));
+    }
 }
 RolePermission::register( /* @trans */ 'Knowledgebase', Canned::getPermissions());
 

include/class.config.php

@@ -195,7 +195,9 @@ static function cleanPwResets() {
             ))->delete();
     }
 
-    static function getConfigsByNamespace(?string $namespace=null, $key, $value=false) {
+
+    static function getConfigsByNamespace(?string $namespace, $key, $value=false) {
+      
         $filter = array();
 
          $filter['key'] = $key;

include/class.dynamic_forms.php

@@ -914,7 +914,7 @@ function isValid() {
                 /* `variable` is used for automation. Internally it's called `name` */
                 ), "name");
         }
-        if ($this->get('name') && !preg_match('/^(?!\d)([[:alnum:]]|_|-)+$/u', $this->get('name')))
+        if ($this->get('name') && !preg_match('/^(?!\d)([[:alnum:]]|_)+$/u', $this->get('name')))
             $this->addError(__(
                 'Invalid character in variable name. Please use letters and numbers only.'
             ), 'name');
@@ -1355,7 +1355,7 @@ function saveAnswers($isEditable=null, $refetch=false) {
                     //use getChanges if getClean returns an empty array
                     $fieldClean = $field->getClean() ?: $field->getChanges();
                     if (is_array($fieldClean) && $fieldClean[0])
-                        $fieldClean = json_decode($fieldClean[0], true);
+                        $fieldClean = is_string($fieldClean[0]) ? json_decode($fieldClean[0], true) : $fieldClean[0];
                 } else
                     $fieldClean = $field->getClean();
 
@@ -1593,7 +1593,7 @@ function parse($value) {
         $selection = array();
 
         if ($value && !is_array($value))
-            $value = array($value);
+            $value = JsonDataParser::parse($value) ?: array($value);
 
         if ($value && is_array($value)) {
             foreach ($value as $k=>$v) {
@@ -1633,6 +1633,7 @@ function to_php($value, $id=false) {
             $values = array();
             $choices = $this->getChoices();
             foreach (explode(',', $value) as $V) {
+                $V = trim($V);
                 if (isset($choices[$V]))
                     $values[$V] = $choices[$V];
             }

include/class.email.php

@@ -1357,7 +1357,7 @@ protected function setInfo($vars, &$errors) {
         // matching.
         if ($vars['smtp_active'] == 1
                 && ($vars['smtp_auth_bk'] === 'mailbox')
-                && (strpos($vars['auth_bk'], 'oauth2') === 0)
+                && (strpos($vars['mailbox_auth_bk'], 'oauth2') === 0)
                 && !$this->checkStrictMatching())
             $_errors['smtp_auth_bk'] = sprintf('%s and %s', __('Resource Owner'), __('Email Mismatch'));
 

include/class.export.php

@@ -322,7 +322,7 @@ static function departmentMembers($dept, $agents, $filename='', $how='csv') {
     exit;
   }
 
-  static function audits($type, ?string $filename=null, ?string $tableInfo=null, ?string $object=null, ?string $how='csv', ?bool $show_viewed=true, ?array $data=array(), CsvExporter $exporter) {
+  static function audits($type, ?string $filename, ?string $tableInfo, ?string $object, ?string $how='csv', ?bool $show_viewed=true, ?array $data=array(), CsvExporter $exporter) {
       $headings = array('Description', 'Timestamp', 'IP');
       switch ($type) {
           case 'audit':
@@ -620,7 +620,7 @@ function escape($data) {
     }
 
     function write($data) {
-        fputcsv($this->fp, $this->escape($data), $this->getDelimiter());
+        fputcsv($this->fp, $this->escape($data), $this->getDelimiter(), "\"", "");
     }
 
 }
@@ -725,15 +725,15 @@ function dump($tmp=false) {
         $delimiter = $this->getDelimiter();
         // Output a UTF-8 BOM (byte order mark)
         fputs($this->output, chr(0xEF) . chr(0xBB) . chr(0xBF));
-        fputcsv($this->output, $this->getHeaders(), $delimiter);
+        fputcsv($this->output, $this->getHeaders(), $delimiter, "\"", "");
         while ($row=$this->next())
             fputcsv($this->output, array_map(
                 function($v){
                     if (preg_match('/^[=\-+@].*/', $v))
                         return "'".$v;
                     return $v;
                 }, $row),
-            $delimiter);
+            $delimiter, "\"", "");
 
         if (!$tmp)
             fclose($this->output);

include/class.filter_action.php

@@ -89,7 +89,7 @@ function getImpl() {
         return $this->_impl;
     }
 
-    static function setFilterFlags(?object $actions=null, $flag, $bool) {
+    static function setFilterFlags(?object $actions, $flag, $bool) {
         $flag = constant($flag);
         if ($actions)
             foreach ($actions as $action)