darktable open image location shortcut

openlocation.lua

--[[
    This file is copyright (c) 2017 Michael Demetriou
    It is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This file is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License
    along with this file.  If not, see <http://www.gnu.org/licenses/>.
]]

--[[
OPEN LOCATION
Opens the location of the selected image in nautilus
USAGE
* require this file from your main lua config file
* set a shortcut for "Open image location"
]]
local dt = require "darktable"
dt.configuration.check_version(...,{4,0,0})

local function open_location()
  local images = dt.gui.action_images  
  for _, i in ipairs(images) do
     os.execute('nautilus "'.. i.path .. '/' .. i.filename ..'"')
  end
end

dt.register_event("shortcut",function(event, shortcut)
    open_location()
end, "Open image location")

--
-- vim: syntax=lua

I'm pretty sure that any file pathname containing a double-quote, backtick or dollar character (more likely in a directory component, but potentially in a filename), will cause problems here because they will get interpreted by /bin/sh when you call os.execute(). The most likely outcome is that the command will simply fail, but at worst you could have a shell injection exploit. Using something like

"\"" .. string.gsub(i.path .. '/' .. i.filename, "([\"\\`$])", "\\%1") .. "\""

should escape the troublesome cases. See https://www.gnu.org/software/bash/manual/html_node/Double-Quotes.html