In lib/exe/xmlrpc.php in putAttachment the given id isn't cleaned before the temporary file is created. As not all characters in the filename are allowed on all platforms, there are at least problems on windows, see
http://forum.dokuwiki.org/post/17808. On the other hand I'm wondering if we shouldn't clean that id before unlinking the temporary file (imagine ids like ../../conf/local.php...). Perhaps something like md5 of that id + a timestamp would be a better filename?