A request URI path should be normalized before matching it against
@Path values.
For instance, the following path
/user/%7ezo%ce%ab/a/../b/./c
should be normalized to
/user/~zo%CE%AB/b/c
before trying to match it against regular expressions built from @Path
values.
1. %7e is unescaped as ~ is an unreserved character;
2. %ce%ab (escaped UTF-8 for ë) is converted to uppercase hex digits;
3. ".." and "." path segments are resolved.
I suggest explicitly requiring some of the syntax-based normalization
methods
defined in RFC 3986 "URI: Generic Syntax". Specifically: §6.2.2.1.
case normalization;
§6.2.2.2. percent-encoding normalization; and §6.2.2.3. path segment
normalization.
Text to this affect could be added to JAX-RS §3.7.1 Request
Preprocessing.
For instance, add a new step 1 before the existing one:
1. Normalize the URI path following the rules in RFC 3986 "URI:
Generic Syntax":
* case normalization,
eg "%3e" is normalized to "%3E";
* percent-encoding normalization,
eg "%7E" is normalized to "~" as a tilde is an unreserved
character;
* path segment normalization,
eg "/a/../b/./c" is normalized to "/b/c".
James Manger