os, net/http: avoid escapes from os.DirFS and http.Dir on Windows CVE-2022-41720

[neild]

This is a PRIVATE issue for CVE-2022-41720 tracked in http://b/257275141.

os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

The os.DirFS function and http.Dir type provide access to a tree of files
rooted at a given directory. These functions permitted access to Windows
device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
would open the COM1 device.
Both os.DirFS and http.Dir only provide read-only filesystem access.

In addition, on Windows, an os.DirFS for the directory \(the root of the
current drive) can permit a maliciously crafted path to escape from the
drive and access any path on the system.

The behavior of os.DirFS("") has changed. Previously, an empty root was
treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp".
This now returns an error.

[neild]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #57005 (for 1.18), #57006 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/455362 mentions this issue: [release-branch.go1.19] os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

[gopherbot]

Change https://go.dev/cl/455360 mentions this issue: [release-branch.go1.18] os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

[gopherbot]

Change https://go.dev/cl/455716 mentions this issue: os, net/http: avoid escapes from os.DirFS and http.Dir on Windows