I completely agree.

The script was meant mostly for those who had an idea what they were doing with it and were careful. It is definitely not meant for anyone to just drop onto their website verbatim and use without care. (Although it was originally written as a replacement for someone who was just including files directly from the query string on their site, and thus exposing all the files in EoFF's account as well)

And you are right about other OS's. Windows hates a number of those characters in filenames, and Mac uses ":" as the directory delimiter, so the script would need to be far more robust to work correctly in anything beyond *nix. I believe PHP does some of the necessary directory delimiter translation automatically, but the script would certainly need a lot more testing in that case.