With Frank MIA at the moment (I hope all is well though!) I'm not sure if this can even be addressed, but since there is potential reverse engineering activity afoot in the near term, I thought I'd mention it so it is logged somewhere.

The getfid CGI in DisplayServer lets you get raw (mp3) output and it includes a "savefile" parameter. Turns out that slashes within MP3 titles aren't being escaped to hex in the URI (/ = %2F). This can have some undesirable effects, such as the filename being truncated to whatever follows the last slash.

Not a show-stopper, but it's not expected behavior.