path/filepath: path traversal in filepath.Clean on Windows (CVE-2022-41722)

[neild]

On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b.

Thanks to RyotaK (https://ryotak.net/) for reporting this issue.

This is a PRIVATE issue for CVE-2022-41722, tracked in http://b/261991454 and fixed by http://tg/1675249.

[neild]

@gopherbot please open backport issues. This is a security fix.

[gopherbot]

Backport issue(s) opened: #57275 (for 1.18), #57276 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[mdempsky]

@gopherbot Please backport to 1.20.

[gopherbot]

Change https://go.dev/cl/468119 mentions this issue: [release-branch.go1.20] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

[gopherbot]

Change https://go.dev/cl/468123 mentions this issue: path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

[gopherbot]

Change https://go.dev/cl/468115 mentions this issue: [release-branch.go1.19] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows