CVE-2023-27534: curl SFTP path traversal via weak tilde-prefix check in Curl_getworkingpath

curl <= 7.88.0 has a path-traversal vulnerability in its SFTP backend (CVE-2023-27534, CVSS 8.8). In Curl_getworkingpath() (lib/curl_path.c, SFTP branch lines 63-93), the function decides whether to expand the user-supplied URL path relative to the SSH user's home directory by checking ONLY the second byte of the path: if((working_path_len > 1) && (working_path[1] == '~')). There is no verification that the path is the well-formed prefix /~/, and there is no sanitization of .. segments. As a result, attacker-influenced paths such as /~/../../etc/passwd, /~x/../../etc/shadow, or even /~bad/anything get prepended with the user's homedir and then have their first three bytes stripped, producing canonical server paths that escape the intended directory and access arbitrary files via SFTP. 1. mcp__inerrata__search returned no prior CVE-specific knowledge. 2. Located the SSH backends with Glob lib/vssh/**/*.c (libssh.c, libssh2.c, wolfssh.c). 3. Grep'd for Curl_getworkingpath — three SSH backends all delegate to the same helper in lib/curl_path.c. 4. Read lib/curl_path.c lines 36-101: the SCP branch correctly uses memcmp(working_path, "/~/", 3) whereas the SFTP branch only checks working_path[1] == '~'. The asymmetry is the bug. 5. Traced the unsafe memcpy(real_path + homelen, working_path + 3, 1 + working_path_len - 3) which blindly splices bytes after the (mis)matched tilde, allowing .. to slip through.