SR-D23239 · Issue 499591
Support added for multi-operator SAML logins
Resolved in Pega Version 8.4
When a SAML user logged in by Single Sign-On (SAML), the system processed the login to portal as a different operator if there was a function on the Attribute field under Operator identification in the SAML authentication service. In this scenario, using an expression for operator provisioning did not work because all SAML login sessions resolved to same first operator due to parseAndEvaluateExpression() in ExpressionHelper.java ignoring new expression arguments if the expression page already existed. To support the use of multiple operator logins in this format, the system has been updated to clone a new expression page for every session and update it with the correct expression arguments.
SR-D31734 · Issue 515657
XSS protection added for parameter page properties
Resolved in Pega Version 8.4
An XSS vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D47685 · Issue 514647
Cookie logging restored
Resolved in Pega Version 8.4
As part of security updates, Cookies were restricted from being logged. However, this caused some business use cases such as a custom function call to obtain the list of cookies that are present in the application to stop working. To resolve this, the cookie logging restriction has been reverted.
SR-D23239 · Issue 499595
Support added for multi-operator SAML logins
Resolved in Pega Version 8.3.1
When a SAML user is logged in by Single Sign-On (SAML), the system processes the login to portal as a different operator if there was a function on the Attribute field under Operator identification in the SAML authentication service. In this scenario, using an expression for operator provisioning did not work because all SAML login sessions resolved to the same first operator due to parseAndEvaluateExpression() in ExpressionHelper.java ignoring new expression arguments if the expression page already existed. To support the use of multiple operator logins in this format, the system has been updated to clone a new expression page for every session and update it with the correct expression arguments.
SR-D47611 · Issue 513113
HTTPS login path issue resolved
Resolved in Pega Version 8.3.1
When using iOS, entering wrong credentials for a login with an https endpoint converted the URL to http. This was traced to a case where the resourcePath was coming as http in SSL enabled system, but the reqURI was still https. To correct this, the system has been updated so that if the reqContextURI starts with https and the requestURL starts with http, then the requestURL will be converted to https.
INC-202004 · Issue 692353
Hotfix documentation updated to point to Hotfix Manager page
Resolved in Pega Version 8.8
The readme file attached to hotfix downloads contained an outdated reference to use "PRPC Hotfix Installer on the Update Manager landing page." This has been updated to point to the Hotfix Manager landing page.
INC-205453 · Issue 706569
Pega Keystore supported for hotfix signature verification
Resolved in Pega Version 8.8
In order to support custom trust managers which require an alternate method for supplying the root certificate via a platform trust store, an enhancement has been added to allow Pega Keystore to be used as a hotfix verification source. Detailed information on this can be found in https://docs.pega.com/keeping-current-pega/87/verifying-hotfix-authenticity-using-pega-keystore
INC-208516 · Issue 705098
Patchdate values made unique
Resolved in Pega Version 8.8
The hotfix manager was incorrectly indicating that a previous hotfix was not installed or was partially installed and should be reinstated. This scenario was created during security updates where the missing/incomplete hotfix had been deliberately deleted from the database, and has been resolved by adding an update which will force patchdate to be unique when adding duplicate code resources during tests.
INC-209435 · Issue 707374
Column population error downgraded to warning
Resolved in Pega Version 8.8
A Column Population job run after deployment for some classes was logging the error "Class does not exist", but no property was identified and no impact to the system was seen. This error has been downgraded to a warning.
INC-210513 · Issue 710344
Added handling for clustered index on the pr4_rule table during migration
Resolved in Pega Version 8.8
When attempting to migrate the rules schema to RULES85 and temp data schema DATA85, the upgrade was becoming stuck in a loop while working to generate declarative indexes for Rule-HTML-Paragraph. Investigation showed the infinite looping happened only for classes mapped to the pr4_rule and with instance count of more than (num of threads * batch size). This was due to the presence of a clustered index on the pr4_rule table causing the resultset to return an infinite number of records in SQLServer, and has been resolved with an update to leverage the total record count to iterate the resultset instead of depending on the resultset.next().