security: fix CVE-2022-41722 [1.20 backport]

[gopherbot]

@neild requested issue #57274 to be considered for backport to the next 1.20 minor release.

@gopherbot please open backport issues. This is a security fix.

[rolandshoemaker]

Manually bumping because backports were opened before 1.20 was released.

[gopherbot]

Change https://go.dev/cl/468119 mentions this issue: [release-branch.go1.20] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows

[gopherbot]

Closed by merging bdf07c2 to release-branch.go1.20.