Bugzilla -- Directory Traversal in importxml.pl

A Bugzilla Security Advisory reports:

When importing bugs using importxml.pl, the --attach_path
option can be specified, pointing to the directory where
attachments to import are stored. If the XML file being
read by importxml.pl contains a malicious
…/relative_path/to/local_file
node, the script follows this relative path and attaches the
local file pointed by it to the bug, making the file public.
The security fix makes sure the relative path is always
ignored.