good point with the mkdir, mv and touch, I just pushed an update to use php functions for that instead of shell.
No reason to be concerned though, the user controlled input is sanitized and no shell command is/was executed based on unsanitized user input.
the user agent check was a relic from when it behaved differently, browser vs curl, it is not needed anymore and has been removed.
Pull Request are always welcome
edit: I also just pushed an update to use bin2hex(random_bytes(16)) instead of uniquid to make sure we never have collisions, for arguments sake (even though I thought that risk was rather low to begin with)
the user agent check was a relic from when it behaved differently, browser vs curl, it is not needed anymore and has been removed. Pull Request are always welcome
edit: I also just pushed an update to use bin2hex(random_bytes(16)) instead of uniquid to make sure we never have collisions, for arguments sake (even though I thought that risk was rather low to begin with)