SR-A24598 · Issue 247394
Apache Struts updated for security
Resolved in Pega Version 7.2.1
Apache Struts has been updated to version 2.3.28 to protect against potential security vulnerabilities exposed when Dynamic Method Invocation is enabled, removing the ability for remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
SR-A27900 · Issue 248758
24-hour clock enhancement for displayReportSection
Resolved in Pega Version 7.2.1
The new option "Support 24 hour format for time?" has been added to displayReportSection to allow the date/time in the Charts 'Show Data' display screen to use a 24-Hr format.
SR-A4613 · Issue 227870
Updated logging for "Obfuscated URL tampering" errors
Resolved in Pega Version 7.2.1
The error "pegarules.util.URLObfuscation) ERROR - Obfuscated URL tampering - unable to derive cleartext data" was being logged when the "cookie/HttpOnly" parameter was set. This was traced to the unobfuscating of data failing at the server end, and the loggers have been updated to print requestor data for better diagnostics.
SR-A4719 · Issue 230767
Fixed improper ID carryover after reset all loggers
Resolved in Pega Version 7.2.1
When a user reset the logs, the same user ID was then being populated in the log entries of master agent and requestor lock exceptions from that point on even when the exceptions were from other users. This was due to the username not being cleared correctly after the reset all loggers operation is done, and to fix this, the reset all loggers functionality has been changed such that no data from main thread is copied onto the child thread(the dispatcher thread).
SR-A8475 · Issue 233560
Fixed Multiselect grid drag and drop
Resolved in Pega Version 7.2.1
When using MultiSelectList Control, if a value was selected and then 'submit' was used to populate the Grid's data, dragging and dropping the Grid's row to some other workbasket did not work. This happened because the clipboard calls the remove property with a symbolic delete when doing a drag and drop. While processing this delete, if the mode of property was unknown the system was unable to look up the property definition in the dictionary, and an exception occurred. To fix this, handling has been added to lookup the definition of the property if it is unknown before removing it.
INC-137709 · Issue 584297
New security role added to restrict access to development-specific classes
Resolved in Pega Version 8.5.1
A new security role and related RAROs have been implemented to allow better security for end users on non-BAC systems. This restricts access to Rules and execution of activities on classes that are development-specific.
INC-128811 · Issue 587213
Operator created with save-as has correct application access
Resolved in Pega Version 8.5.1
Creating an operator using Save As retained access to the applications of the original operator even if they were removed in the creation process. This was due to the saveAs operation of the Operator not retaining consistency between the records in the ValueList pyAccessGroupsAdditional and the page list pyaccessgroups_opid. To resolve this, the PreSaveAs of the Operator ID has been updated to maintain consistency in the records.
INC-132517 · Issue 578985
Correct manager name retained for skill-based routing updates
Resolved in Pega Version 8.5.1
In App Studio, having a manager update a team member's skills changed that team member's reporting Manager name (.pyReportTo) upon save. This was a use case where multiple operator IDs were required for the same person (name and email), so that using the report definition parameter 'BestOperatorValue' for the pzUpdateOperatorInfo activity caused an incorrect manager name to be set to the team member's operator ID. This has been resolved.
INC-127392 · Issue 574286
Delegated Decision table rule grid loads in iFrame with SSO
Resolved in Pega Version 8.5.1
The delegated decision table rule grid and checkout options were not displayed when launched from iFrame using SSO sign in. Without SSO, the delegated decision table grids were loading properly for the same Access group. The heart of this issue was that decision tables were using an older style of Designer Studio javascript which was not designed to be embedded in an iFrame due to issues related to Cross-Origin Resource Sharing (CORS). In order to support the usecase of the Pega end user portal/application being integrated to an external domain application using an iFrame, enhancements have been made to the necessary delegated rule function definitions.
INC-135095 · Issue 581849
Tracer toolbar shows correctly in IE
Resolved in Pega Version 8.5.1
After upgrade, the developer toolbar for the tracer pop up was not visible in Internet Explorer. Investigation showed that Microsoft Internet Explorer was loading the correct elements, but they were not displaying due to recent updates made to prevent Cross-site scripting vulnerabilities for the tracer. This has been resolved.