Geir expressed concern over security issues with this patch. I posted this on the dev list... no push back from other developers. So I think we should re-apply this.
Here's why I'm not worried:
(1) Outside users do not directly provide a template name. In a typical back-end use this is programmed by the developer. In a web use this comes from the URL (which can be filtered before sending to Velocity).
(2) If a developer does not want to allow absolute file names, he/she just needs to configure a template path. (Note that this patch only applies for cases where the template path is not set).
(3) This doesn't affect any existing code, because all existing uses of FileResourceLoader set a template path.