acme/autocert: properly clean DirCache paths

Don't assume the path passed into the DirCache methods is absolute, and
clean it before further operating on it. Put and Delete are not attacker
controlled, but clean them anyway.

Fixes #53082
Fixes CVE-2022-30636

Change-Id: I755f525a737da60ccba07ebce4d41cc8faebfcca
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/408694
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

1 files changed, 3 insertions, 3 deletions

diff --git a/acme/autocert/cache.go b/acme/autocert/cache.go
index 03f6302..3156a08 100644
--- a/acme/autocert/cache.go
+++ b/acme/autocert/cache.go
@@ -41,7 +41,7 @@ type DirCache string
 
 // Get reads a certificate data from the specified file name.
 func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) {
-	name = filepath.Join(string(d), name)
+	name = filepath.Join(string(d), filepath.Clean("/"+name))
 	var (
 		data []byte
 		err  error
@@ -82,7 +82,7 @@ func (d DirCache) Put(ctx context.Context, name string, data []byte) error {
 		case <-ctx.Done():
 			// Don't overwrite the file if the context was canceled.
 		default:
-			newName := filepath.Join(string(d), name)
+			newName := filepath.Join(string(d), filepath.Clean("/"+name))
 			err = os.Rename(tmp, newName)
 		}
 	}()
@@ -96,7 +96,7 @@ func (d DirCache) Put(ctx context.Context, name string, data []byte) error {
 
 // Delete removes the specified file name.
 func (d DirCache) Delete(ctx context.Context, name string) error {
-	name = filepath.Join(string(d), name)
+	name = filepath.Join(string(d), filepath.Clean("/"+name))
 	var (
 		err  error
 		done = make(chan struct{})