SR-D55508 · Issue 521862
CSRF and Fingerprint token handling added to custom URL generation
Resolved in Pega Version 8.4
An error screen appeared with the message "Server response error, no update data returned" while doing a check out and check in of the offer rule. This was traced to CSRF token validation: in this scenario, a custom URL was being framed and the corresponding request did not have a valid CSRF/ Fingerprint token, which can occur when there are custom AJAX/Non-ajax URLs constructed manually in the non-autogenerated/HTML streams. To address this, handling has been added for CSRF and fingerprint tokens as part of the custom URL generation.
SR-D56409 · Issue 520743
URL Encryption and Obfuscation made compatible with site-minder
Resolved in Pega Version 8.4
Attempting to install a DL using Hfix Manager worked when not going through SSO but failed when using SSO. Investigation showed that this was due to the use of URLEncryption: URLEncryption uses a Pega-supplied base64 to encode the cipher text with MIME type encoding by default, which adds newline character after every 72 characters. This is not compatible with site-minder. which has policies to restrict newline characters in the URL. As a result, none of the encrypted requests were being processed. To resolve this, post-processing logic has been added to remove newline characters from encoded text. This change has also been applied top URLObfuscation.
SR-D62949 · Issue 527502
XSS protection added
Resolved in Pega Version 8.4
The CrossScriptingFilter API has been applied to address a potential XSS issue related to stream rule parameters used in the request header.
SR-D63232 · Issue 524295
Support added for Authentication service rule attributes in embedded pages
Resolved in Pega Version 8.4
SSO login was not working, giving the error "Unable to process the SAML WebSSO request : No value specified for Attribute in SAML assertion". Investigation showed the Authentication service rule could only map attributes that are on the top level page and did not consider embedded page values. To resolve this, tools.getProperty will be used to fetch the property reference value instead of find Page and getString.
SR-D63727 · Issue 531726
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
SR-D71378 · Issue 533282
Authorization header base 64 format error recategorized as debug logging
Resolved in Pega Version 8.4
Numerous messages were generated indicating that the Authorization Header format was invalid when using the format " : " (Base64 Og==) . As this is the default behavior for a particular class of proxy servers, the error statement has been updated to be logged as a debug statement and will be visible only when that logging is enabled.
INC-133214 · Issue 590380
Deployment Manager rollback works for directed inheritance
Resolved in Pega Version 8.6
Rollback was not working correctly in Deployment Manager for history classes using directed inheritance. This was traced to a redundant check in AbstractHistoryPageKeeper that enforced the history pages pattern inherited from one of the base history classes, and this has now been removed.
INC-140040 · Issue 597666
Improved handling to ensure circumstanced rules skim is complete
Resolved in Pega Version 8.6
After performing a major rule skim, it was noticed that some of the circumstanced rules were not carried over to the higher version. The data was restored and a second skim was attempted. Once again, not all of the circumstanced rules were carried over; however, the results were different than in skim 1. This issue was traced to the circumstanced rule and base rule having the same pxCreateDateTime because they were processed with in a millisecond span. To resolve this, a 1ms explicit sleep has been added before processing each record.
INC-140279 · Issue 597757
JMX logging added to upgrade diagnostics
Resolved in Pega Version 8.6
In order to improve diagnostic information, infoForced loggers have been added for debugging upgrade issues related to JMX calls to enable and disable rules creation.
INC-142236 · Issue 595979
Apache Struts updated
Resolved in Pega Version 8.6
The Apache struts2-core.jar and its dependencies have been updated to version 2.5.25.