[release-branch.go1.25] os/exec: fix incorrect expansion of ".." in LookPath on plan9

The correction in CL 685755 is incomplete for plan9, where path
search is performed even on file strings containing "/". By
applying filepath.Clean to the argument of validateLookPath,
we can check for bogus file strings containing ".." where the
later call to filepath.Join would transform a path like
"badfile/dir/.." to "badfile" even where "dir" isn't a directory
or doesn't exist.

For #74466
Fixes #75008

Change-Id: I3f8b73a1de6bc7d8001b1ca8e74b78722408548e
Reviewed-on: https://go-review.googlesource.com/c/go/+/693935
Reviewed-by: David du Colombier <0intro@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
(cherry picked from commit 674c5f0edd82b5d1dd5cb44eb4b85830245c151e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/698416
Reviewed-by: Cherry Mui <cherryyz@google.com>

diff --git a/src/os/exec/lp_plan9.go b/src/os/exec/lp_plan9.go
index 0430af9eefeb420adcb9788b96ed134dc6f7d36a..f713a6905cfbdc77b83f5dfc1c6ffcb35deadec2 100644 (file)
--- a/src/os/exec/lp_plan9.go
+++ b/src/os/exec/lp_plan9.go
@@ -36,7 +36,7 @@ func findExecutable(file string) error {
 // As of Go 1.19, LookPath will instead return that path along with an error satisfying
 // [errors.Is](err, [ErrDot]). See the package documentation for more details.
 func LookPath(file string) (string, error) {
-       if err := validateLookPath(file); err != nil {
+       if err := validateLookPath(filepath.Clean(file)); err != nil {
                return "", &Error{file, err}
        }