...
A non-serializable class can be extended and its subclass can be made serializable. Also a subclass automaticall automatically becomes serializable if it derives from a serializable class. During deserialization of the subclass, the JVM calls the no-argument constructor of the most derived superclass that does not implement java.io.Serializable either directly or indirectly. This allows it to fix the state of this superclass. In the following code snippet, class A's no-argument constructor is called when C is deserialized because A does not implement Serializable. Subsequently, Object's constructor is invoked. This procedure cannot be carried out programmatically, consequently the JVM generates the equivalent bytecode at runtime. Typically, when the superclass's constructor is called by a subclass, the subclass remains on the stack. However, in deserialization this does not happen. Only the unvalidated bytecode is present. This allows any security checks within the superclass's constructor to be bypassed in that the complete execution chain is not brought into scrutiny.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7f32550bf59b24d8-daec3161-4a464ddf-b50fa023-e49591b79a8429a1ed8ae4c9"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f145b1580ad65c90-7a72005b-45454476-891e89bd-a05852d2e5a96ed9ab28c0e3"><ac:plain-text-body><![CDATA[ | [[CVE | AA. Bibliography#CVE]] | [CVE-2008-5353 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353] | ]]></ac:plain-text-body></ac:structured-macro> |
...