The isAllowed method does not correctly manage file path comparison and on line 280

$isWithinUploads = (strpos($filename, realpath($upload_dir)) !== false);

The $filename has to be wrapped into the realpath() function too.