SFTP path ~ resolving discrepancy

curl supports SFTP transfers. curl’s SFTP implementation offers a special
feature in the path component of URLs: a tilde (~) character as the first
path element in the path to denotes a path relative to the user’s home
directory. This is supported because of wording in the once proposed
to-become RFC
draft
that was to dictate how SFTP URLs work.

Due to a bug, the handling of the tilde in SFTP path did however not only
replace it when it is used stand-alone as the first path element but also
wrongly when used as a mere prefix in the first element.

Using a path like /~2/foo when accessing a server using the user dan (with
home directory /home/dan) would then quite surprisingly access the file
/home/dan2/foo.

This can be taken advantage of to circumvent filtering or worse.