INC-155276 · Issue 622816
Null check added for step page
Resolved in Pega Version 8.3.6
After creating and adding new Access Roles and application 'Access When' to the privileges instead of Production level, during run time the error "runtime.IndeterminateConditionalException: Trying to evaluate Rule-Access-When conditions L:IsProdAccess when there is no page to evaluate them against" appeared for the specific privileges. This was traced to a missed use case where the system falls back to the step page if the page for evaluating the 'when' condition is null, which did not account for scenarios where the step page can be null. To resolve this, a null check has been added which will fetch the primary page if the step page for the access 'when' condition is null.
INC-156647 · Issue 626293
Improved disconnected requestor cleanup for FieldService
Resolved in Pega Version 8.3.6
A large number of requestors from FieldService with the status as 'Disconnected' were accumulating and causing performance issues. This was traced to the requestors not getting passivated due to users not logging out and new requestors being created for the same users next time, and was caused by the value of the DSS Initialization/PersistRequestor being set as "OnTimeout". When the DSS prconfig/timeout/browser/default is not configured, the default browser requestor timeout is 60 minutes. In this scenario, requestors were not passivating as the requestor passivation timeout was set to the refresh token lifetime for mobile users, which was very large and overwrote the DSS value. This has been resolved by removing the code which set the passivation timeout to the OAuth2 refresh token lifetime.
INC-166995 · Issue 642440
DeleteDocumentPg added to allow list
Resolved in Pega Version 8.7
During performance testing with CSRF settings enabled, a '403 Forbidden' error was seen in the network trace when FinishAssignment called pyActivity=pyDeleteDocument on close action. This has been resolved by adding pyDeleteDocumentPg to the list of allowed activities.
SR-D31734 · Issue 515655
Cross-site scripting protection added for parameter page properties
Resolved in Pega Version 8.3.2
An cross-site scripting vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D33214 · Issue 514022
Added safeURL encoding for Japanese characters in attached filenames
Resolved in Pega Version 8.3.2
It was not possible to preview a Japanese-titled PDF file attached on a work object. Investigation showed that in case of Japanese characters, file names were not being correctly encoded during the fetch request when JBoss was used. The retrieval worked correctly under Tomcat. In order to ensure consistent encoding, the safeURL API will be used for constructing the URL and for the activities DisplayAttachFile and pzDownloadFromRepository which add the ContentDisposition header.
SR-D67321 · Issue 532627
ShowXML activity deprecated
Resolved in Pega Version 8.3.2
The activity @baseclass.ShowXML has been blocked for security reasons. If the functionality is needed, a a single line step of "Show-Applet-Data" may be used.
SR-D86011 · Issue 548152
Browser fingerprint validation issue resolved
Resolved in Pega Version 8.3.3
After upgrade, Pega logoff was happening automatically within five minutes while using Microsoft Internet Explorer. This was traced to the COSMOS-based portal in Microsoft Internet Explorer 11 generating different hashes for different parts of the screen, causing a "Browser fingerprint validation failed" error because of the pzBFP token mismatch. To resolve this, an update has been made to exclude the graphic components for calculation of browserfingerprint.
SR-D96395 · Issue 555117
CDK key loading modified for better database compatibility
Resolved in Pega Version 8.3.3
Users were unable to log on to the system and received the error "There has been an issue; please consult your system administrator." Investigation showed the log errors stating "(dataencryption.DataKeyProvider) ERROR localhost - Could not get CDK from systemKeyManagementCache - System CDK is null". This was an issue specific to the MS SQL Server database when there were 6 or more CDKs in the database: CDK keys are loaded from database into Cache using an SQL statement which had the ORDER clause. By default, the ORDER clause treats NULL values differently on different databases, and this caused MS SQL databases to not load a necessary CDK key. To resolve this, the SQL query has been modified so the result will be the same for all supported daatbases (Oracle, Postgres & MS SQL Server).
SR-D79181 · Issue 551123
OKTA receives parameters on logout
Resolved in Pega Version 8.3.3
When using an OIDC logout endpoint with a parameter set as a data page value, the data page retrieved the ID Token from the database, but when logout was clicked the datapage name was being displayed in the browser instead of the IDToken. To resolve this, code has been added to support sending ID token parameters for logoff endpoint for OKTA logoff using OpeniD connect.
SR-D64566 · Issue 547513
Option added for redirect to SAML IDP on logout
Resolved in Pega Version 8.3.3
An enhancement has been added which provides a check box to choose to redirect to SAML IDP on logout from Pega.