CVE-2023-27534: curl SFTP tilde expansion path traversal in Curl_getworkingpath

CVE-2023-27534 — curl <8.0.0 has a path-traversal vulnerability in its SFTP path expansion. In lib/curl_path.c:Curl_getworkingpath, the SFTP branch checks only (working_path_len > 1) && (working_path[1] == '~') and then unconditionally slices working_path + 3 after prepending the local user's homedir. The check does not require the canonical /~/ prefix (compare to the SCP branch immediately above which correctly uses memcmp(working_path, "/~/", 3) == 0). Effects: (1) inputs like /~zX/... are mis-classified as tilde paths and 3 bytes are blindly sliced, producing <homedir>/X/...; (2) the URL controls the path used on the wire to the SFTP server in surprising ways, allowing payloads such as sftp://host/~/../../etc/passwd to traverse outside the home directory in wrappers that assumed ~ confined access.