SR-C93602 · Issue 485517
White list filter added for X-Forward-Host value security
Resolved in Pega Version 8.3.2
In order to improve security, a validation for X-Forward-Host value has been added which will be read from a local configuration. This is in the form of a white list regex filter for the host/XFHost header to ensure the URL's actions cannot be redirected.
SR-D37894 · Issue 505974
Query parameters will be cleared after redirection from authentication
Resolved in Pega Version 8.3.2
When using the /PRAuth Servlet, running a snapstart URL generated from a secondary application correctly executed SAML Authentication and Pega processing, but a second URL generated with different parameters ran with the parameters from the first request. The third and subsequent requests processed as expected with the parameters sent in with the request. Investigation showed that the previous parameters were picked due to the query string parameters not being cleared after redirection, and this issue has been resolved by updating the system so it will clear the parameters after issuing a redirect from the authentication policy engine.
SR-D41454 · Issue 506535
Updated HotFix Manager for use in older versions
Resolved in Pega Version 8.3.2
The DL logic in Hotfix Manager was changed in 8.3 to include the catalog of all framework changes. This had the unintended side effect of preventing DLs from being installed in Pega 7.3.1 and lower versions as the versions included in the catalog are not present on those systems and the validation failed. This has been resolved by revising the DL update so the system will only add all apps to the catalog for platform 7.4+ DLs.
SR-D46133 · Issue 534649
Colon in folder or file name will be replaced with underscore during unzip
Resolved in Pega Version 8.3.2
After creating a product file (zip), attempting to import the same file into an updated system resulted in an exception. Investigation showed that in this case the zip file was a Product rule form which had applications packaged with a colon(:) in the name of the application, a format that was allowed in 6.x versions. Because Windows machines restrict creating creating any folder or file with : in its name, the zip file could not be inflated as part of the import process. To resolve this, the system has been updated so that a colon(:) will be replaced by underscore(_) during inflate operations.
SR-D46536 · Issue 515792
Custom agent next run time will be rescheduled if the run failed
Resolved in Pega Version 8.3.2
If a customized agent that was set to run every day encountered an exception and failed to run, restarting the agent did not update it to the next run time; it still returned the passed trigger time as its next execution time. This has been resolved with an update that will reschedule the run if the next run time is in the past.
SR-D46681 · Issue 514432
SnapStart supports SAML2 Authentication
Resolved in Pega Version 8.3.2
When using an HTTP Post to SnapStart into Pega using PRCustom style or PRAuth style SAML authentication, the login was looping back to the login request. Investigation showed that the Pega ACS was posting data properly back to the RelayState URL, however the login activity was not getting the SAMLResponse and simply sent a SAML Login Request again. This has been fixed by updating reqContextURI in case of SAML2 Authentication service so pyActivity=value will be passed.
SR-D47685 · Issue 514645
Cookie logging restored
Resolved in Pega Version 8.3.2
As part of security updates, Cookies were restricted from being logged. However, this caused some business use cases such as a custom function call to obtain the list of cookies that are present in the application to stop working. To resolve this, the cookie logging restriction has been reverted.
SR-D48433 · Issue 529854
Exception handling added for Redirect URL fetched from GRS
Resolved in Pega Version 8.3.2
When the application definition under “integration and security" tab was configured to use "Store in web storage provider" to allow choosing the storage name and the authentication profile, configuring the authentication profile to use an OpenID connect provider with the pyEndpointURL property given as a global resource setting such as (=D_SharepointDetails.url) was not working as expected. Clicking browse in the application definition sent the request to the OpenID connect provider and was returned with the error "The reference =D_SharepointDetails.url is not valid. Reason: Page name (D_SharepointDetails) from indirect reference was not found." This was traced to the Redirect URL (fetched from GRS) throwing an unhandled exception, and has been resolved.
SR-D48762 · Issue 518296
Enhancement added to support DB2 CREATE OR REPLACE view syntax
Resolved in Pega Version 8.3.2
After creating the product, attempting to import it on another environment failed due to incompatibilities with the syntax. In SQLGeneratorDb2.getViewSourceStatement(), when the View definition is fetched there is a check whether the view starts with "CREATE VIEW". Since the customer view of "CREATE OR REPLACE" was not supported in Db2LUW, it didn't match and appended the "CREATE VIEW" statement again. This happened only when using DB2, and has been resolved by updating the logic in SQLGeneratorDb2.getViewSourceStatement() to support CREATE OR REPLACE VIEW statements.
SR-D49804 · Issue 518225
Hierarchical view support added for moving packages
Resolved in Pega Version 8.3.2
After exporting a package from a DEV environment, attempting to import it to a TEST environment resulted in the query becoming corrupted and the process failing. This was traced to the regex used to fetch the select statement table name not supporting hierarchical views, and has been resolved by adding that support.