Hi!

It's possible do excecute any code on the target machine with that bug!

How you can reproduce the bug

1. put that into a mail filter

xfilter "reformail -i'Subject: bla bla + $SUBJECT'"

2. write a mail with a subject that contains a '

3. you will get following error log in the maillog

sh: -c: line 1: unexpected EOF while looking for matching `'' sh: -c: line 2: syntax error: unexpected end of file maildrop: error writing to filter. /usr/lib/courier/bin/maildrop: Unable to filter message. status: deferred

4. i tried SUBJECT=escape($SUBJECT), didn't help.

5. I can reproduce it with 0.37 and 0.38 versions - currently I'm using courier-0.38.1-1.7.2