You're partially right that curl is blocking '..'. But it's not blocking '%2e%2e'. I got it to avoid blocking '..' with the --path-as-is flag.

I redid the tests, with curl's --path-as-is flag, as well as with raw TCP (via netcat), and SimpleHTTPServer is still not vulnerable.