SR-D56409 · Issue 520743
URL Encryption and Obfuscation made compatible with site-minder
Resolved in Pega Version 8.4
Attempting to install a DL using Hfix Manager worked when not going through SSO but failed when using SSO. Investigation showed that this was due to the use of URLEncryption: URLEncryption uses a Pega-supplied base64 to encode the cipher text with MIME type encoding by default, which adds newline character after every 72 characters. This is not compatible with site-minder. which has policies to restrict newline characters in the URL. As a result, none of the encrypted requests were being processed. To resolve this, post-processing logic has been added to remove newline characters from encoded text. This change has also been applied top URLObfuscation.
SR-D62949 · Issue 527502
XSS protection added
Resolved in Pega Version 8.4
The CrossScriptingFilter API has been applied to address a potential XSS issue related to stream rule parameters used in the request header.
SR-D63232 · Issue 524295
Support added for Authentication service rule attributes in embedded pages
Resolved in Pega Version 8.4
SSO login was not working, giving the error "Unable to process the SAML WebSSO request : No value specified for Attribute in SAML assertion". Investigation showed the Authentication service rule could only map attributes that are on the top level page and did not consider embedded page values. To resolve this, tools.getProperty will be used to fetch the property reference value instead of find Page and getString.
SR-D63727 · Issue 531726
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
SR-D71378 · Issue 533282
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
SR-D44942 · Issue 518353
Guided tour popups handling added for right-to-left language locales
Resolved in Pega Version 8.1.8
Guided Tour Popups were still appearing in the default EN location after switching to the ar_AR locale. This was traced to a missed use case for locales using a right-to-left mode such as Arabic or Hebrew, and has been resolved by updating the guided tour engine openPopOver function to account for the HTML tag dir attribute for value of "rtl". This will anchor the pop over to rightBottom / and display the arrow on the rightTop instead of leftBottom / leftTop.
SR-D79266 · Issue 544531
pyStatusWork for parent case correctly resolved
Resolved in Pega Version 8.1.8
pyStatusWork was not getting updated for the parent case even though the case passed through the resolution stage. This was an unintended side effect of work done regarding resolving a subcase if it was opened from the review harness, and has been resolved by updating the findPageByHandle activity to return the correct page when there are multiple pages with the same key.
SR-D54963 · Issue 524113
Updated Decision Table validation for multiple OR conditions
Resolved in Pega Version 8.1.8
When the Decision Table had multiple OR conditions, the table was verified as consistent even when two rows had the same value. Analysis showed that when Show Conflicts encountered multiple 'or' conditions in a row that matched the same conditions in other rows, it considered them to be different rows. This has been corrected.
SR-D54984 · Issue 529208
Resolved ruleset save issue for Google Chrome/IE
Resolved in Pega Version 8.1.8
When using particular versions of Google Chrome or IE, the intermittent error "pyComponentInterfaceClass: <user> does not exist or is not a valid entry for this ruleset and its prerequisites" appeared when attempting to validate an application, and the ruleset could not be saved. This was traced to changes made in the browser around password handling, and has been resolved by explicitly clearing out the pyComponentInterfaceClass if that value is not in use.
SR-D70447 · Issue 533598
SQL injection protection added to Circumstanced Search
Resolved in Pega Version 8.1.8
Parameters used by the PegaAccel-Task-CircumstanceSearch.pzGetCircumstancePropValues activity are now encoded to prevent SQL injection attacks.