1.07.1 is primarily a bug fix release.

The main bug that was fixed involved a security vulnerability for version 1.07.0 (only that version) that would allow the script to be an open relay if the webmaster had CHECK_REFERER set to false (and only if it was set to false) and did not use the $recipient_array. If you use 1.07.0 and CHECK_REFERER is set to false and you don't use the $recipient_array you should upgrade immediately. All other configurations should not be affected by this vulnerability but upgrading to the latest version is always recommended.

I've also changed the HTML and the e-mail output to be in UTF-8 to allow more international users to be able to use the script. There is no change that has to be done to take advantage of this.

One note about UTF-8: While the email and the HTML will display the UTF-8 properly, I haven't had a chance to modify the script to optionally use the multi byte extension for the regex calls. If you have a form and it uses a _regex field expect the regex to always fail the user on multi-byte languages. While adding UTF-8 might seem pointless right now, it's not. Users can still fill in the other fields in their native language.

As usual, the updated version can be downloaded at the download page.

-Andrew Riley

1.07.1 2005/03/27
---------------------------
- Removed the conditional block around the block of if statements that called $recipient_function to fix the CHECK_REFERER=false vulnerability
- Removed the PHPFormMail version number from the HTML output. It is still reported in the e-mail.
* Moved the $recipient_array checking code from a variable to be imbeded in the if statement since it's only used once
* Changed the html output to use the charset of utf-8
+ Added a new header to the e-mail output so the email will use the charset of utf-8
* Cleaned up some double quotes that should be single quotes