Ensure symlinks work as expected (and secured).

2016-04-21 16:32:52 -07:00 · 2016-04-21 16:32:52 -07:00 · 57ccbe08ea
--- a/lib/jekyll/theme.rb
+++ b/lib/jekyll/theme.rb
@ -34,10 +34,19 @@ module Jekyll
    private

    def path_for(folder)
-      path = Jekyll.sanitized_path root, "_#{folder}"
+      resolved_dir = realpath_for(folder)
+      return unless resolved_dir
+
+      path = Jekyll.sanitized_path(root, resolved_dir)
      path if Dir.exists?(path)
    end

+    def realpath_for(folder)
+      File.realpath(Jekyll.sanitized_path(root, "_#{folder}"))
+    rescue Errno::ENOENT, Errno::EACCES, Errno::ELOOP
+      nil
+    end
+
    def gemspec
      @gemspec ||= Gem::Specification.find_by_name(name)
    rescue Gem::LoadError
--- a/test/fixtures/test-theme/_symlink
+++ b/test/fixtures/test-theme/_symlink
@ -0,0 +1 @@
+_layouts
--- a/test/test_theme.rb
+++ b/test/test_theme.rb
@ -52,6 +52,11 @@ class TestTheme < JekyllUnitTest
    should "return nil for paths that don't exist" do
      assert_equal nil, @theme.send(:path_for, "foo")
    end
+
+    should "return the resolved path when a symlink & resolved path exists" do
+      expected = File.expand_path("./_layouts", @expected_root)
+      assert_equal expected, @theme.send(:path_for, :symlink)
+    end
  end

  should "retrieve the gemspec" do