Ensure symlinks work as expected (and secured).

lib/jekyll/theme.rb

@@ -34,10 +34,19 @@ module Jekyll
     private
 
     def path_for(folder)
-      path = Jekyll.sanitized_path root, "_#{folder}"
+      resolved_dir = realpath_for(folder)
+      return unless resolved_dir
+
+      path = Jekyll.sanitized_path(root, resolved_dir)
       path if Dir.exists?(path)
     end
 
+    def realpath_for(folder)
+      File.realpath(Jekyll.sanitized_path(root, "_#{folder}"))
+    rescue Errno::ENOENT, Errno::EACCES, Errno::ELOOP
+      nil
+    end
+
     def gemspec
       @gemspec ||= Gem::Specification.find_by_name(name)
     rescue Gem::LoadError

test/fixtures/test-theme/_symlink

@@ -0,0 +1 @@
+_layouts

test/test_theme.rb

@@ -52,6 +52,11 @@ class TestTheme < JekyllUnitTest
     should "return nil for paths that don't exist" do
       assert_equal nil, @theme.send(:path_for, "foo")
     end
+
+    should "return the resolved path when a symlink & resolved path exists" do
+      expected = File.expand_path("./_layouts", @expected_root)
+      assert_equal expected, @theme.send(:path_for, :symlink)
+    end
   end
 
   should "retrieve the gemspec" do