SR-B57046 · Issue 314358
Parameters removed from on-screen error messages to protect sensitive data
Resolved in Pega Version 7.3.1
It was discovered that sensitive information such as account numbers used as parameters were being displayed in exception error messages displayed on the screen. Including the parameters as part of the error is intended to aid in debugging the problem, but these parameters do not need to be displayed in the UI. In order to protect potentially sensitive data, parameter values have been removed from the exception message. When the DeclarativePageDirectoryImpl logger is enabled, the parameters will be entered into the Pega log files and not shown on screen.
SR-B67143 · Issue 316168
Proxy configurations made available to OAuth2 and other clients
Resolved in Pega Version 7.3.1
Setting up Proxy for the REST Connector was not working when using OAuth2. When using OAuth2 authorization for Connector features including REST Connectors, the com.pega.pegarules.integration.engine.internal.client.oauth2.OAuth2ClientImpl class is used for connections to the OAuth2 Provider for interactions such as fetching authorization tokens. However, OAuth2ClientImpl does not have the required code for "picking up" the JVM-level proxy settings and applying them to the HTTP Client it uses, so the HTTP calls to the OAuth2 provider were always bypassing the configured HTTP proxy. In order to resolve this and enhance future use, the code in the RESTConnector module that allows REST Connectors to use HTTP Proxies has been extracted out into the "HTTPClientUtils" module so that it can be used by any consumer to apply the system's Proxy configuration to any instance of PegaRESTClient. OAuth2ClientImpl has been updated to call this during HTTP client setup, prior to making the request for data from OAuth2 Providers, and RESTConnnector has been updated to call this new implementation to replace the universal Proxy code that was refactored out of it.
SR-B65744 · Issue 315671
Repaired use of custom case ID search
Resolved in Pega Version 7.3.1
After upgrade, custom search criteria for case IDs generated an error when pulling data from the database. This was traced to a change that removed CommonTLP as a fallback, and that default has been restored.
SR-B66204 · Issue 316885
XSS sanitizing added to clientID field
Resolved in Pega Version 7.3.1
During the time of construction of a ServiceRequest in the engine , the clientID field will be sanitized with the StringUtils.crossScriptFiltering API to avoid XSS attacks.
SR-B50950 · Issue 308958
Connect-SOAP passivation tuned
Resolved in Pega Version 7.3.1
Connect-SOAP implementation uses requestor instance to cache STSConfigContext and Axis2 ServiceClient objects; these are not serialize-able and were leading to requestor passivation failure. As part of the fix, these objects will be de-referenced from the requestor page and instead the system will use a requestor scoped data page to cache STSConfigContext and Axis2 ServiceClient objects.
SR-B55660 · Issue 316375
Removed "SHA1" hard coding from SAMLRedirectBindingHandler
Resolved in Pega Version 7.3.1
SAML logout failure was seen after using SHA256 signature encoding on an IDP that does not support SOAP. Previously,"SHA1" was hard coded to be used for verification of certificate during logout in the case of HTTP-Redirect Binding; this hard coding has now been removed from SAMLRedirectBindingHandler.verify() .
SR-B72326 · Issue 325267
EmailListener handling updated for addressee errors
Resolved in Pega Version 7.3.1
When messages are handled by the EmailListener with more than one recipient (more than one TO: header and even sometimes more than one CC: header), the EmailListener activity will create a (sub-)case for each of these recipients, based on their email addresses from the TO: or CC: list. If an error was generated by one of the recipient email addresses in one of the groups (TO: or CC:) being invalid, only the invalid address was returned to the EmailListener for further processing. This meant the other addresses in the same group were ignored and no (sub-)case created for them. To address this issue, the handling has been changed: If an exception occurs while processing a recipient's name, the system will iterate through the Message to get recipients one by one. If the Address is valid it will be added to the list, and if it's invalid then extractEmailAddress API will be used to attempt to extract a valid email address and add it. If the extraction did not obtain a valid email address it will be logged and ignored. Please note that all this processing will be done if FailOnAddressException DSS is set to false (the existing behavior).
SR-B73213 · Issue 322353
CMIS-GetPropertiesResponse property mapping fixed
Resolved in Pega Version 7.3.1
The CMIS properties' data was improperly mapped to a "pyProperty" Page List property which was not part of the CMIS-GetPropertiesResponse data model, rather than mapping the data into the proper "pyProperty" Page List properties in the CMIS-GetRepositoriesResponse data model such as pyPropertyBoolean, pyPropertyInteger. This was caused by a defect in the Pega engine's CMISConnector module caused by changes made to simplify and consolidate the "map Properties" logic. The CMISConnector module has been repaired so that it correctly derives data type when giving a pointer to a PropertyDataObject:
SR-B57228 · Issue 325976
Timer exit error fixed for STS SOAP
Resolved in Pega Version 7.3.1
If STS was enabled for a SOAP Connector and if a valid STS token was already available, hundreds of error messages about attempting to stop the timer were logged. This was traced to a step order error which started the timer and then exited before stopping it, and the missing step has been added.
SR-B75677 · Issue 326354
Password set removed from Lock and Roll tool
Resolved in Pega Version 7.3.1
The way the Lock and Roll tool set passwords was confusing and often caused a new application to be created with the wrong password, preventing updating the new rule or even requiring administrators to manually create the application rules. To resolve this, pzLPLockAndRollApplication has been changed to remove the setting of pySetPassword and pySetPasswordConfirmText so the values will be empty for the new version.