SR-B67143 · Issue 316168
Proxy configurations made available to OAuth2 and other clients
Resolved in Pega Version 7.3.1
Setting up Proxy for the REST Connector was not working when using OAuth2. When using OAuth2 authorization for Connector features including REST Connectors, the com.pega.pegarules.integration.engine.internal.client.oauth2.OAuth2ClientImpl class is used for connections to the OAuth2 Provider for interactions such as fetching authorization tokens. However, OAuth2ClientImpl does not have the required code for "picking up" the JVM-level proxy settings and applying them to the HTTP Client it uses, so the HTTP calls to the OAuth2 provider were always bypassing the configured HTTP proxy. In order to resolve this and enhance future use, the code in the RESTConnector module that allows REST Connectors to use HTTP Proxies has been extracted out into the "HTTPClientUtils" module so that it can be used by any consumer to apply the system's Proxy configuration to any instance of PegaRESTClient. OAuth2ClientImpl has been updated to call this during HTTP client setup, prior to making the request for data from OAuth2 Providers, and RESTConnnector has been updated to call this new implementation to replace the universal Proxy code that was refactored out of it.
SR-B43400 · Issue 307258
Localization added for field value used in 'Enter a Short Description' validation message
Resolved in Pega Version 7.3.1
Localization was failing for the 'Enter a Short Description' validation message when using a Field Value due to the message rule containing spaces. To fix this, a new message rule has been created without spaces in the same ruleset so that it is available for override use in the ruleset.
SR-B66204 · Issue 316885
XSS sanitizing added to clientID field
Resolved in Pega Version 7.3.1
During the time of construction of a ServiceRequest in the engine , the clientID field will be sanitized with the StringUtils.crossScriptFiltering API to avoid XSS attacks.
SR-B75677 · Issue 326354
Password set removed from Lock and Roll tool
Resolved in Pega Version 7.3.1
The way the Lock and Roll tool set passwords was confusing and often caused a new application to be created with the wrong password, preventing updating the new rule or even requiring administrators to manually create the application rules. To resolve this, pzLPLockAndRollApplication has been changed to remove the setting of pySetPassword and pySetPasswordConfirmText so the values will be empty for the new version.
SR-B56648 · Issue 315674
Added security check when running out-of-the-box reports with ShowSelectorView
Resolved in Pega Version 7.3.1
A security issue was found where non-authorized users were able to access the out-of-the-box report details in their portal by manipulating the URL to pass a "short-cut" parameter that executed the Final "ShowSelectorView" activity. To avoid the need to set the explicit privileges manually, the ShowSelectorView activity will call a security check to prevent this.