#255 Update code for 2.6.3

2015-06-23 23:29:16 -04:00 · 2015-06-23 23:29:16 -04:00 · 139853e0d4
commit 139853e0d4
parent 5d5a25bf2c
14 changed files with 219 additions and 58 deletions
--- a/admin/admin_reply_ticket.php
+++ b/admin/admin_reply_ticket.php
@ -288,6 +288,12 @@ elseif ($submit_as_customer)
    $customerReplyStatusRs = hesk_dbQuery('SELECT `ID` FROM `'.hesk_dbEscape($hesk_settings['db_pfix']).'statuses` WHERE `IsCustomerReplyStatus` = 1 LIMIT 1');
    $customerReplyStatus = hesk_dbFetchAssoc($customerReplyStatusRs);
    $new_status = $customerReplyStatus['ID'];
+
+    if ($ticket['status'] != $new_status)
+	{
+		$revision   = sprintf($hesklang['thist9'],hesk_date(),$hesklang['wait_reply'],$_SESSION['name'].' ('.$_SESSION['user'].')');
+		$sql_status = " , `history`=CONCAT(`history`,'".hesk_dbEscape($revision)."') ";
+	}
 }
 // -> Default: submit as "Replied by staff"
 else
--- a/admin/admin_ticket.php
+++ b/admin/admin_ticket.php
@ -2110,8 +2110,12 @@ function hesk_printCanned()
            return true;
        }

+        myMsg = myMsg.replace(/%%HESK_ID%%/g, '<?php echo hesk_jsString($ticket['id']); ?>');
+        myMsg = myMsg.replace(/%%HESK_TRACKID%%/g, '<?php echo hesk_jsString($ticket['trackid']); ?>');
+        myMsg = myMsg.replace(/%%HESK_TRACK_ID%%/g, '<?php echo hesk_jsString($ticket['trackid']); ?>');
 		myMsg = myMsg.replace(/%%HESK_NAME%%/g, '<?php echo hesk_jsString($ticket['name']); ?>');
 		myMsg = myMsg.replace(/%%HESK_EMAIL%%/g, '<?php echo hesk_jsString($ticket['email']); ?>');
+        myMsg = myMsg.replace(/%%HESK_OWNER%%/g, '<?php echo hesk_jsString( isset($admins[$ticket['owner']]) ? $admins[$ticket['owner']] : ''); ?>');
 		myMsg = myMsg.replace(/%%HESK_custom1%%/g, '<?php echo hesk_jsString($ticket['custom1']); ?>');
 		myMsg = myMsg.replace(/%%HESK_custom2%%/g, '<?php echo hesk_jsString($ticket['custom2']); ?>');
 		myMsg = myMsg.replace(/%%HESK_custom3%%/g, '<?php echo hesk_jsString($ticket['custom3']); ?>');
--- a/admin/index.php
+++ b/admin/index.php
@ -217,6 +217,10 @@ function do_login()
    	hesk_process_messages($hesklang['chdp'],'NOREDIRECT','NOTICE');
    }

+    // Set a tag that will be used to expire sessions after username or password change
+    $_SESSION['session_verify'] = hesk_activeSessionCreateTag($user, $_SESSION['pass']);
+
+    // We don't need the password hash anymore
 	unset($_SESSION['pass']);


--- a/admin/mail.php
+++ b/admin/mail.php
@ -328,6 +328,12 @@ function mail_send()
 	/* Message */
 	$_SESSION['mail']['message'] = hesk_input( hesk_POST('message') ) or $hesk_error_buffer .= '<li>' . $hesklang['enter_message'] . '</li>';

+    // Attach signature to the message?
+    if ( ! empty($_POST['signature']))
+    {
+    	$_SESSION['mail']['message'] .= "\n\n" . addslashes($_SESSION['signature']) . "\n";
+    }
+
 	/* Any errors? */
 	if (strlen($hesk_error_buffer))
 	{
@ -711,6 +717,12 @@ function show_new_form()
                    echo stripslashes($_SESSION['mail']['message']);
                }
                ?></textarea>
+                <div class="checkbox">
+                    <label>
+                        <input type="checkbox" name="signature" value="1" checked>
+                        <?php echo $hesklang['attach_sign']; ?>
+                    </label> (<a href="profile.php"><?php echo $hesklang['profile_settings']; ?></a>)
+                </div>
            </div>
        </div>
        <div class="form-group">
--- a/admin/manage_canned.php
+++ b/admin/manage_canned.php
@ -278,8 +278,11 @@ myField.value += myValue;
                                }
                            ?></textarea>
                        <?php echo $hesklang['insert_special']; ?>:
+                        <a href="javascript:void(0)" onclick="hesk_insertTag('HESK_ID')"><?php echo $hesklang['seqid']; ?></a> |
+                        <a href="javascript:void(0)" onclick="hesk_insertTag('HESK_TRACK_ID')"><?php echo $hesklang['trackID']; ?></a> |
                        <a href="javascript:void(0)" onclick="hesk_insertTag('HESK_NAME')"><?php echo $hesklang['name']; ?></a> |
-                        <a href="javascript:void(0)" onclick="hesk_insertTag('HESK_EMAIL')"><?php echo $hesklang['email']; ?></a>
+                        <a href="javascript:void(0)" onclick="hesk_insertTag('HESK_EMAIL')"><?php echo $hesklang['email']; ?></a> |
+                        <a href="javascript:void(0)" onclick="hesk_insertTag('HESK_OWNER')"><?php echo $hesklang['owner']; ?></a>
                        <?php
                            foreach ($hesk_settings['custom_fields'] as $k=>$v)
                            {
--- a/admin/profile.php
+++ b/admin/profile.php
@ -239,12 +239,12 @@ function update_profile() {
 			}
            else
            {
-				$v = hesk_Pass2Hash($newpass);
-				if ($v == '499d74967b28a841c98bb4baaabaad699ff3c079')
+                $newpass_hash = hesk_Pass2Hash($newpass);
+                if ($newpass_hash == '499d74967b28a841c98bb4baaabaad699ff3c079')
 				{
 					define('WARN_PASSWORD',true);
 				}
-				$sql_pass = ',`pass`=\''.$v.'\'';
+                $sql_pass = ',`pass`=\''.$newpass_hash.'\'';
            }
        }
 	}
@ -314,6 +314,21 @@ function update_profile() {
 		/* Process the session variables */
 		$_SESSION['new'] = hesk_stripArray($_SESSION['new']);

+        // Do we need a new session_verify tag?
+        if ( strlen($sql_username) && strlen($sql_pass) )
+        {
+        	$_SESSION['session_verify'] = hesk_activeSessionCreateTag($_SESSION['new']['user'], $newpass_hash);
+        }
+        elseif ( strlen($sql_pass) )
+    	{
+			$_SESSION['session_verify'] = hesk_activeSessionCreateTag($_SESSION['user'], $newpass_hash);
+		}
+		elseif ( strlen($sql_username) )
+	    {
+			$res = hesk_dbQuery('SELECT `pass` FROM `'.hesk_dbEscape($hesk_settings['db_pfix'])."users` WHERE `id` = '".intval($_SESSION['id'])."' LIMIT 1");
+			$_SESSION['session_verify'] = hesk_activeSessionCreateTag($_SESSION['new']['user'], hesk_dbResult($res) );
+		}
+
        /* Update session variables */
        foreach ($_SESSION['new'] as $k => $v)
        {
--- a/change_status.php
+++ b/change_status.php
@ -53,12 +53,18 @@ $trackingID = hesk_cleanID() or die("$hesklang[int_error]: $hesklang[no_trackID]

 // Get new status
 $status = intval( hesk_GET('s', 0) );
+$oldStatus = $status;

 $locked = 0;

 // Connect to database
 hesk_dbConnect();

+// Get the close status. It'll be used later on
+$statusRes = hesk_dbQuery('SELECT `ID` FROM `'.hesk_dbEscape($hesk_settings['db_pfix']).'statuses` WHERE `IsClosedByClient` = 1');
+$statusRow = hesk_dbFetchAssoc($statusRes);
+$closedStatus = $statusRow['ID'];
+
 if ($status == 3) // Closed
 {
    // Is customer closing tickets enabled?
@ -66,11 +72,7 @@ if ($status == 3) // Closed
    {
        hesk_error($hesklang['attempt']);
    }
-
-    //-- They want to close the ticket, so get the status that is the default for client-side closes
-    $statusRow = hesk_dbFetchAssoc(hesk_dbQuery('SELECT `ID` FROM `'.hesk_dbEscape($hesk_settings['db_pfix']).'statuses` WHERE `IsClosedByClient` = 1'));
-
-    $status = $statusRow['ID'];
+    $status = $closedStatus;
 	$action = $hesklang['closed'];
    $revision = sprintf($hesklang['thist3'],hesk_date(),$hesklang['customer']);

@ -90,6 +92,11 @@ elseif ($status == 2) // Opened
 		hesk_error($hesklang['attempt']);
 	}

+    //-- They want to close the ticket, so get the status that is the default for client-side closes
+    $statusRes = hesk_dbQuery('SELECT `ID` FROM `'.hesk_dbEscape($hesk_settings['db_pfix']).'statuses` WHERE `IsDefaultStaffReplyStatus` = 1');
+    $statusRow = hesk_dbFetchAssoc($statusRes);
+    $status = $statusRow['ID'];
+
 	$action = $hesklang['opened'];
    $revision = sprintf($hesklang['thist4'],hesk_date(),$hesklang['customer']);

@ -110,6 +117,30 @@ hesk_dbConnect();
 // Verify email address match if needed
 hesk_verifyEmailMatch($trackingID);

+// Lets make status assignment a bit smarter when reopening tickets
+if ($oldStatus == 2)
+{
+	// Get number of replies and last replier (customer or staff)
+	$ticket = hesk_dbFetchAssoc( hesk_dbQuery( "SELECT `staffreplies`, `lastreplier` FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."tickets` WHERE `trackid`='".hesk_dbEscape($trackingID)."' LIMIT 1") );
+
+	// If ticket has no staff replies set the status to "New"
+	if ($ticket['staffreplies'] < 1)
+	{
+        $statusRes = hesk_dbQuery('SELECT `ID` FROM `'.hesk_dbEscape($hesk_settings['db_pfix']).'statuses` WHERE `IsNewTicketStatus` = 1');
+        $statusRow = hesk_dbFetchAssoc($statusRes);
+        $status = $statusRow['ID'];
+	}
+    // If last reply was by customer set status to "Waiting reply from staff"
+    elseif ($ticket['lastreplier'] == 0)
+    {
+        $statusRes = hesk_dbQuery('SELECT `ID` FROM `'.hesk_dbEscape($hesk_settings['db_pfix']).'statuses` WHERE `IsCustomerReplyStatus` = 1');
+        $statusRow = hesk_dbFetchAssoc($statusRes);
+        $status = $statusRow['ID'];
+	}
+	// If nothing matches: last reply was from staff, keep status "Waiting reply from customer"
+}
+
+
 // Modify values in the database
 hesk_dbQuery("UPDATE `".hesk_dbEscape($hesk_settings['db_pfix'])."tickets` SET `status`='{$status}', `locked`='{$locked}' $closedby_sql , `history`=CONCAT(`history`,'".hesk_dbEscape($revision)."') WHERE `trackid`='".hesk_dbEscape($trackingID)."' AND `locked` != '1' LIMIT 1");

@ -120,7 +151,7 @@ if (hesk_dbAffectedRows() != 1)
 }

 // Show success message
-if ($status == 2)
+if ($status != $closedStatus)
 {
 	hesk_process_messages($hesklang['wrepo'],'ticket.php?track='.$trackingID.$hesk_settings['e_param'].'&Refresh='.rand(10000,99999),'NOTICE');
 }
--- a/inc/admin_functions.inc.php
+++ b/inc/admin_functions.inc.php
@ -368,6 +368,34 @@ function hesk_getHTML($in)
 } // END hesk_getHTML()


+function hesk_activeSessionValidate($username, $password_hash, $tag)
+{
+    // Salt and hash need to be separated by a |
+    if ( ! strpos($tag, '|') )
+    {
+        return false;
+    }
+
+    // Get two parts of the tag
+    list($salt, $hash) = explode('|', $tag, 2);
+
+    // Make sure the hash matches existing username and password
+    if ($hash == sha1($salt . $username . $password_hash) )
+    {
+        return true;
+    }
+
+    return false;
+} // hesk_activeSessionValidate
+
+
+function hesk_activeSessionCreateTag($username, $password_hash)
+{
+    $salt = uniqid(mt_rand(), true);
+    return $salt . '|' . sha1($salt . $username . $password_hash);
+} // END hesk_activeSessionCreateTag()
+
+
 function hesk_autoLogin($noredirect=0)
 {
 	global $hesk_settings, $hesklang, $hesk_db_link;
@ -422,6 +450,10 @@ function hesk_autoLogin($noredirect=0)
    	hesk_process_messages($hesklang['chdp'],'NOREDIRECT','NOTICE');
    }

+    // Set a tag that will be used to expire sessions after username or password change
+    $_SESSION['session_verify'] = hesk_activeSessionCreateTag($user, $_SESSION['pass']);
+
+    // We don't need the password hash anymore
 	unset($_SESSION['pass']);

 	/* Login successful, clean brute force attempts */
@ -494,7 +526,7 @@ function hesk_isLoggedIn()
 	$referer = hesk_input($_SERVER['REQUEST_URI']);
 	$referer = str_replace('&amp;','&',$referer);

-    if (empty($_SESSION['id']))
+    if ( empty($_SESSION['id']) || empty($_SESSION['session_verify']) )
    {
    	if ($hesk_settings['autologin'] && hesk_autoLogin(1) )
        {
@ -508,6 +540,7 @@ function hesk_isLoggedIn()
        	return true;
        }

+        hesk_session_stop();
        $url = 'index.php?a=login&notice=1&goto='.urlencode($referer);
        header('Location: '.$url);
        exit();
@ -516,31 +549,40 @@ function hesk_isLoggedIn()
    {
        hesk_session_regenerate_id();

-        // Need to update permissions?
-		if ( empty($_SESSION['isadmin']) )
-		{
-			$res = hesk_dbQuery("SELECT `isadmin`, `categories`, `heskprivileges` FROM `".$hesk_settings['db_pfix']."users` WHERE `id` = '".intval($_SESSION['id'])."' LIMIT 1");
-			if (hesk_dbNumRows($res) == 1)
-			{
-				$me = hesk_dbFetchAssoc($res);
-				foreach ($me as $k => $v)
-				{
-					$_SESSION[$k]=$v;
-				}
+        // Let's make sure access data is up-to-date
+        $res = hesk_dbQuery( "SELECT `user`, `pass`, `isadmin`, `categories`, `heskprivileges` FROM `".$hesk_settings['db_pfix']."users` WHERE `id` = '".intval($_SESSION['id'])."' LIMIT 1" );

-				// Get allowed categories
-				if  (empty($_SESSION['isadmin']) )
-				{
-					$_SESSION['categories']=explode(',',$_SESSION['categories']);
-				}
-			}
-            else
+        // Exit if user not found
+        if (hesk_dbNumRows($res) != 1)
 		{
            hesk_session_stop();
            $url = 'index.php?a=login&notice=1&goto='.urlencode($referer);
            header('Location: '.$url);
            exit();
        }
+
+        // Fetch results from database
+        $me = hesk_dbFetchAssoc($res);
+
+        // Verify this session is still valid
+        if ( ! hesk_activeSessionValidate($me['user'], $me['pass'], $_SESSION['session_verify']) )
+        {
+            hesk_session_stop();
+            $url = 'index.php?a=login&notice=1&goto='.urlencode($referer);
+            header('Location: '.$url);
+            exit();
+        }
+
+        // Update session variables as needed
+        if ($me['isadmin'] == 1)
+        {
+            $_SESSION['isadmin'] = 1;
+        }
+        else
+        {
+            $_SESSION['isadmin'] = 0;
+            $_SESSION['categories'] = explode(',', $me['categories']);
+            $_SESSION['heskprivileges'] = $me['heskprivileges'];
        }

 		// Users online
--- a/inc/common.inc.php
+++ b/inc/common.inc.php
@ -1259,7 +1259,7 @@ function hesk_makeURL($text, $class = '', $shortenLinks = true)

 	// matches a xxxx://aaaaa.bbb.cccc. ...
 	$text = preg_replace_callback(
-		'#(^|[\n\t (>.])([a-z][a-z\d+]*:/{2}(?:(?:[a-z0-9\-._~!$&\'(*+,;=:@|]+|%[\dA-F]{2})+|[0-9.]+|\[[a-z0-9.]+:[a-z0-9.]+:[a-z0-9.:]+\])(?::\d*)?(?:/(?:[a-z0-9\-._~!$&\'(*+,;=:@|]+|%[\dA-F]{2})*)*(?:\?(?:[a-z0-9\-._~!$&\'(*+,;=:@/?|]+|%[\dA-F]{2})*)?(?:\#(?:[a-z0-9\-._~!$&\'(*+,;=:@/?|]+|%[\dA-F]{2})*)?)#i',
+        '#(^|[\n\t (>.])(' . "[a-z][a-z\d+]*:/{2}(?:(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@|]+|%[\dA-F]{2})+|[0-9.]+|\[[a-z0-9.]+:[a-z0-9.]+:[a-z0-9.:]+\])(?::\d*)?(?:/(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@|]+|%[\dA-F]{2})*)*(?:\?(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@/?|]+|%[\dA-F]{2})*)?(?:\#(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@/?|]+|%[\dA-F]{2})*)?" . ')#iu',
 		create_function(
 			"\$matches",
 			"return  make_clickable_callback(MAGIC_URL_FULL, \$matches[1], \$matches[2], '', '$class', '$shortenLinks');"
@ -1269,7 +1269,7 @@ function hesk_makeURL($text, $class = '', $shortenLinks = true)

 	// matches a "www.xxxx.yyyy[/zzzz]" kinda lazy URL thing
 	$text = preg_replace_callback(
-		'#(^|[\n\t (>.])(www\.(?:[a-z0-9\-._~!$&\'(*+,;=:@|]+|%[\dA-F]{2})+(?::\d*)?(?:/(?:[a-z0-9\-._~!$&\'(*+,;=:@|]+|%[\dA-F]{2})*)*(?:\?(?:[a-z0-9\-._~!$&\'(*+,;=:@/?|]+|%[\dA-F]{2})*)?(?:\#(?:[a-z0-9\-._~!$&\'(*+,;=:@/?|]+|%[\dA-F]{2})*)?)#i',
+        '#(^|[\n\t (>])(' . "www\.(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@|]+|%[\dA-F]{2})+(?::\d*)?(?:/(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@|]+|%[\dA-F]{2})*)*(?:\?(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@/?|]+|%[\dA-F]{2})*)?(?:\#(?:[^\p{C}\p{Z}\p{S}\p{P}\p{Nl}\p{No}\p{Me}\x{1100}-\x{115F}\x{A960}-\x{A97C}\x{1160}-\x{11A7}\x{D7B0}-\x{D7C6}\x{20D0}-\x{20FF}\x{1D100}-\x{1D1FF}\x{1D200}-\x{1D24F}\x{0640}\x{07FA}\x{302E}\x{302F}\x{3031}-\x{3035}\x{303B}]*[\x{00B7}\x{0375}\x{05F3}\x{05F4}\x{30FB}\x{002D}\x{06FD}\x{06FE}\x{0F0B}\x{3007}\x{00DF}\x{03C2}\x{200C}\x{200D}\pL0-9\-._~!$&'(*+,;=:@/?|]+|%[\dA-F]{2})*)?" . ')#iu',
 		create_function(
 			"\$matches",
 			"return  make_clickable_callback(MAGIC_URL_WWW, \$matches[1], \$matches[2], '', '$class', '$shortenLinks');"
@ -1279,7 +1279,7 @@ function hesk_makeURL($text, $class = '', $shortenLinks = true)

 	// matches an email address
 	$text = preg_replace_callback(
-        '/(^|[\n\t (>])(' . '(?:(?:(?:[^@,"\[\]\x5c\x00-\x20\x7f-\xff\.]|\x5c(?=[@,"\[\]\x5c\x00-\x20\x7f-\xff]))(?:[^@,"\[\]\x5c\x00-\x20\x7f-\xff\.]|(?<=\x5c)[@,"\[\]\x5c\x00-\x20\x7f-\xff]|\x5c(?=[@,"\[\]\x5c\x00-\x20\x7f-\xff])|\.(?=[^\.])){1,62}(?:[^@,"\[\]\x5c\x00-\x20\x7f-\xff\.]|(?<=\x5c)[@,"\[\]\x5c\x00-\x20\x7f-\xff])|[^@,"\[\]\x5c\x00-\x20\x7f-\xff\.]{1,2})|"(?:[^"]|(?<=\x5c)"){1,62}")@(?:(?!.{64})(?:[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9]\.?|[a-zA-Z0-9]\.?)+\.(?:xn--[a-zA-Z0-9]+|[a-zA-Z]{2,6})|\[(?:[0-1]?\d?\d|2[0-4]\d|25[0-5])(?:\.(?:[0-1]?\d?\d|2[0-4]\d|25[0-5])){3}\])' . ')/iu',
+        '/(^|[\n\t (>])(' . '((?:[\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+\.)*(?:[\w\!\#$\%\'\*\+\-\/\=\?\^\`{\|\}\~]|&amp;)+)@((((([a-z0-9]{1}[a-z0-9\-]{0,62}[a-z0-9]{1})|[a-z])\.)+[a-z]{2,63})|(\d{1,3}\.){3}\d{1,3}(\:\d{1,5})?)' . ')/iu',
 		create_function(
 			"\$matches",
 			"return  make_clickable_callback(MAGIC_URL_EMAIL, \$matches[1], \$matches[2], '', '$class', '$shortenLinks');"
--- a/inc/knowledgebase_functions.inc.php
+++ b/inc/knowledgebase_functions.inc.php
@ -270,12 +270,19 @@ function hesk_kbSearchLarge($admin = '')
 {
 	global $hesk_settings, $hesklang;

-	if ($hesk_settings['kb_search'] != 2)
+    $action = 'knowledgebase.php';
+    if ($admin)
+    {
+        if ( ! $hesk_settings['kb_search'])
+        {
+            return '';
+        }
+        $action = 'knowledgebase_private.php';
+    }
+    elseif ($hesk_settings['kb_search'] != 2)
    {
 		return '';
 	}
-
-    $action = $admin ? 'knowledgebase_private.php' : 'knowledgebase.php';

 	?>

--- a/inc/posting_functions.inc.php
+++ b/inc/posting_functions.inc.php
@ -176,18 +176,34 @@ function hesk_newTicket($ticket, $isVerified = true)

 function hesk_cleanFileName($filename)
 {
+    $parts = pathinfo($filename);
+
+    if ( isset($parts['filename']) )
+    {
+        $filename = $parts['filename'];
+    }
+    // PHP < 5.2 needs special care
+    elseif ( version_compare(PHP_VERSION, '5.2','<') )
+    {
+        $filename = rtrim( str_ireplace($parts['extension'], '', $filename), '.');
+    }
+    else
+    {
+        $filename = '';
+    }
+
    $filename = str_replace( array( '%20', '+' ), '-', $filename );
 	$filename = preg_replace('/[\s-]+/', '-', $filename);
 	$filename = remove_accents($filename);
 	$filename = preg_replace('/[^A-Za-z0-9\.\-_]/','', $filename);
-	$filename = trim($filename, '.-_');
+    $filename = trim($filename, '-_');

-	if ( strlen($filename) < 1 )
+    if ( strlen($filename) < 1 || strpos($filename, '.') === 0 )
 	{
-		$filename = mt_rand(10000,99999);
+        $filename = mt_rand(10000,99999) . $filename;
 	}

-	return $filename;
+    return $filename . '.' . $parts['extension'];
 } // END hesk_cleanFileName()


--- a/language/en/text.php
+++ b/language/en/text.php
@ -2,7 +2,7 @@
 /*
 * Language file for Help Desk Software HESK (www.hesk.com)
 * Language: ENGLISH
-* Version: 2.6.1
+* Version: 2.6.3
 * Author: Klemen Stirn (http://www.hesk.com)
 *
 * !!! This file must be saved in UTF-8 encoding without byte order mark (BOM) !!!
@ -865,7 +865,7 @@ $hesklang['nhid']='Notes are hidden from customers!';
 $hesklang['delt']='Delete this post';
 $hesklang['edtt']='Edit post';
 $hesklang['edt1']='Post modified';
-$hesklang['edt2']='Changes to the selecting post have been saved';
+$hesklang['edt2']='Changes to the selected post have been saved';
 $hesklang['dele']='Delete this ticket';
 $hesklang['repd']='Post deleted';
 $hesklang['repl']='Selected post has been deleted';
@ -1098,7 +1098,7 @@ $hesklang['nwts']='A new ticket is submitted with owner:';
 $hesklang['ncrt']='Client responds to a ticket with owner:';
 $hesklang['ntam']='A ticket is assigned to me';
 $hesklang['npms']='A private message is sent to me';
-$hesklang['support_remove']='A lot of time and effort went into developing HESK. Support HESK, buy a license that will also remove the credits links <i>Powered by Help Desk Software HESK</i> from your helpdesk';
+$hesklang['support_remove']='A lot of time and effort went into developing HESK. Support HESK by purchasing a license that will remove the credits links <i>Powered by Help Desk Software HESK</i> from your helpdesk';
 $hesklang['ycvtao']='You are not allowed to view tickets assigned to others';
 $hesklang['password_not_valid']='Password must be at least 5 chars long';
 $hesklang['lkbs']='Loading knowledgebase suggestions...';
--- a/submit_ticket.php
+++ b/submit_ticket.php
@ -188,16 +188,31 @@ $tmpvar['email'] = hesk_validateEmail( hesk_POST('email'), 'ERR', 0) or $hesk_er

 if ($hesk_settings['confirm_email'])
 {
-	$tmpvar['email2'] = hesk_input( hesk_POST('email2') ) or $hesk_error_buffer['email2']=$hesklang['confemail2'];
+    $tmpvar['email2'] = hesk_validateEmail( hesk_POST('email2'), 'ERR', 0) or $hesk_error_buffer['email2']=$hesklang['confemail2'];

-	if (strlen($tmpvar['email2']) && ( strtolower($tmpvar['email']) != strtolower($tmpvar['email2']) ))
+    // Anything entered as email confirmation?
+    if ( strlen($tmpvar['email2']) )
 	{
+        // Do we have multiple emails?
+        if ($hesk_settings['multi_eml'] && count( array_diff( explode(',', strtolower($tmpvar['email']) ), explode(',', strtolower($tmpvar['email2']) ) ) ) == 0)
+        {
+            $_SESSION['c_email2'] = $_POST['email2'];
+        }
+        // Single email address match
+        elseif ( ! $hesk_settings['multi_eml'] && strtolower($tmpvar['email']) == strtolower($tmpvar['email2']) )
+        {
+            $_SESSION['c_email2'] = $_POST['email2'];
+        }
+        else
+        {
+            // Invalid match
            $tmpvar['email2'] = '';
            $_POST['email2'] = '';
            $_SESSION['c_email2'] = '';
            $_SESSION['isnotice'][] = 'email';
            $hesk_error_buffer['email2']=$hesklang['confemaile'];
        }
+	}
 	else
 	{
 		$_SESSION['c_email2'] = $_POST['email2'];
--- a/ticket.php
+++ b/ticket.php
@ -178,6 +178,12 @@ else
 	$ticket['repliername'] = $ticket['name'];
 }

+// If IP is unknown (tickets via email pipe/pop3 fetching) assume current visitor IP as customer IP
+if ($ticket['ip'] == 'Unknown' || $ticket['ip'] == $hesklang['unknown'])
+{
+    hesk_dbQuery("UPDATE `".hesk_dbEscape($hesk_settings['db_pfix'])."tickets` SET `ip` = '".hesk_dbEscape($_SERVER['REMOTE_ADDR'])."' WHERE `id`=".intval($ticket['id'])." LIMIT 1");
+}
+
 /* Get category name and ID */
 $result = hesk_dbQuery("SELECT `name` FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."categories` WHERE `id`='".intval($ticket['category'])."' LIMIT 1");