In includes/upload.php remove:
$this->file_name = str_replace(" ", "_", $this->file_name);
$this->file_name = str_replace("%20", "_", $this->file_name);
$this->file_name = preg_replace("/[^-\._a-zA-Z0-9]/", "", $this->file_name);
(it's still a bad idea. The best way to go around this is to store original filename in database and send that filename when file being download)