Traversal outside working tree enables arbitrary code execution

Refs and paths with reserved Windows device names access the devices