This function tries to make sure that the user can only unmount his own mounts
below /media/$user. It also rejects backslashes in the path. However it does
not reject relative path components or shell characters.
- this allows a regular user to unmount arbitrary file systems by passing paths like "/media/$user/../../tmp.
- since the unmount is performed by calling the umount utility via "/bin/sh", shell metacharacters will be interpreted. Passing a path like '/media/testuser/$(date)' will cause the setuid-root program to execute the date program as root. This leads to full code execution as root. The only requirement is that a directory of the same name exists. Spaces are also allowed in the path, therefore even complex commands can be executed as root.
I recommend to reject relative path components and shell metacharacters in
this function to fix the issue.