CVE-2023-27534: curl SFTP path traversal via loose tilde-expansion check

In curl's lib/curl_path.c, the function Curl_getworkingpath() has two branches for tilde expansion: one for SCP (strict) and one for SFTP (too loose). The SCP branch correctly gates on !memcmp(working_path, "/~/", 3) — requiring the path to begin with exactly /~/. The SFTP branch only checks working_path[1] == '~', which fires for any path whose second character is ~. This allows a URL like sftp://server/~/../../../etc/passwd to trigger home-directory expansion, prepending homedir/ to ../../etc/passwd and resolving to /etc/passwd — a full path traversal outside the home directory.