SR-D90687 · Issue 560431
IOException handling improved to resolve broken pipe errors
Resolved in Pega Version 8.4.2
Frequent "connection reset by peers" exceptions were being generated and broken-pipe exceptions were seen in the logs. Investigation traced the issue to unhanded IOExceptions on the server side that were a result of the client application not always closing the TCP connection gracefully. To resolve this, error handling for IOExceptions has been improved.
SR-D67408 · Issue 554900
Directory traversal blocked in zip import
Resolved in Pega Version 8.4.2
One of the files contained in a zip archive was not deleted from the system after zip import. This was due to the file being created by a third-party archive that included of a directory traversal character that caused it to be inflated outside of the temp directory. To resolve this, a check has been added to that a file with directory traversal characters in its name will not be inflated.
SR-D81572 · Issue 551028
JDBC URL handling added for Oracle over TCPS
Resolved in Pega Version 8.4.2
While attempting to upgrade an environment over TCPS, the generateDDL.sh script was failing. The same environment ran without issue on Tomcat with the same URL. Investigation showed the JDBC url was not correctly generated while running the upgrade: in a standard scenario, there will be no spaces in the JDBC URL specified. However, because Oracle can send spaces as part of JDBC URL and cause this issue, an update has been made which will quote the JDBC URL argument for the ant target in setupDDL.xml.
SR-D84364 · Issue 551403
Check for circular references added to SearchInventoryImpl to prevent recursive call
Resolved in Pega Version 8.4.2
An out of memory error was traced to SearchInventoryImpl infinitely recursing over a clipboard property, where the child property referenced a parent property and resulted in an endless loop. This has been resolved with the addition of a depth check to ensure that the search does not recurse infinitely.
SR-D85100 · Issue 556262
ProductInfoReader updated to fetch only most recent version information
Resolved in Pega Version 8.4.2
After upgrade, running Hfix scanner on Pega Marketing 8.2 displayed missed critical Hfixes for Pega Marketing 8.1. This has been resolved by modifying ProductInfoReader.runQuery to fetch only latest version of DAPF instances during a scan.
SR-D98404 · Issue 558207
Handling added for hotfix Rule-Application instances
Resolved in Pega Version 8.4.2
A null pointer error during DL file expansion performed as part of the second phase of a hotfix installation caused the hotfix install to fail. The null-pointer exception was thrown because the code, primarily used for export, performed a database lookup of a Rule-Application and assumed the response would be non-null without checking the result. During export the Rule-Application would normally exist because the system would have interacted with it already during the export by identifying it and writing it to the archive. During phased hotfix installation, rules are staged to the database in a different table during the first phase and reconstituted during the second phase. The scenario for this error was a missed corner case specific to the unusual combination of including Rule-Application instances in a platform hotfix. To resolve this and prevent further issues, handling has been added for this use case.
SR-C93602 · Issue 485517
White list filter added for X-Forward-Host value security
Resolved in Pega Version 8.3.2
In order to improve security, a validation for X-Forward-Host value has been added which will be read from a local configuration. This is in the form of a white list regex filter for the host/XFHost header to ensure the URL's actions cannot be redirected.
SR-D37894 · Issue 505974
Query parameters will be cleared after redirection from authentication
Resolved in Pega Version 8.3.2
When using the /PRAuth Servlet, running a snapstart URL generated from a secondary application correctly executed SAML Authentication and Pega processing, but a second URL generated with different parameters ran with the parameters from the first request. The third and subsequent requests processed as expected with the parameters sent in with the request. Investigation showed that the previous parameters were picked due to the query string parameters not being cleared after redirection, and this issue has been resolved by updating the system so it will clear the parameters after issuing a redirect from the authentication policy engine.
SR-D41454 · Issue 506535
Updated HotFix Manager for use in older versions
Resolved in Pega Version 8.3.2
The DL logic in Hotfix Manager was changed in 8.3 to include the catalog of all framework changes. This had the unintended side effect of preventing DLs from being installed in Pega 7.3.1 and lower versions as the versions included in the catalog are not present on those systems and the validation failed. This has been resolved by revising the DL update so the system will only add all apps to the catalog for platform 7.4+ DLs.
SR-D46133 · Issue 534649
Colon in folder or file name will be replaced with underscore during unzip
Resolved in Pega Version 8.3.2
After creating a product file (zip), attempting to import the same file into an updated system resulted in an exception. Investigation showed that in this case the zip file was a Product rule form which had applications packaged with a colon(:) in the name of the application, a format that was allowed in 6.x versions. Because Windows machines restrict creating creating any folder or file with : in its name, the zip file could not be inflated as part of the import process. To resolve this, the system has been updated so that a colon(:) will be replaced by underscore(_) during inflate operations.