[1.4.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.

Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.

Backport of 7fe5b656 from master