Hi Alexander,
As to "address", I recommend that rather than completely remove the check for slash you replace it with a check preventing traversal to upper-level directories.Something like: if (strchr(user, '/') || !strcmp(user, "..") || strstr(address, "..")) return NULL; ...and you don't need vname_lookup_fail. This is completely untested, use at your own risk.
Was able to drastically simplify the patch by just replacing if ( strchr(user, '/') || ... with: if ( strstr(address, "..") || ... The above seems to work fine. - Andy
