Yeah, this is a very hairy area of the module, since "uploadFolder" serves two purposes. Originally, I was only looking at the $uploadFolder property if allowFolderSelection was on, but that proved problematic in many ways, so that property has been through quite a number of changes.
I also need to create the method setUploadFolder() so we can be sure users aren't including the ASSET_DIR in the path. I believe FileDOM has a way of sanitizing the input.. I'll use that as a reference point.
SilverStripe tips, tutorials, screencasts and more: http://www.leftandmain.com