As the java.io.InputStream class is abstract, a wrapper such as BufferedInputStream is required to provide a concrete implementation that overrides its methods. Java input classes, for example Scanner and BufferedInputStream, often buffer the underlying input stream to facilitate fast, non-blocking I/O.
It is permissible to create multiple wrappers on an InputStream. Programs that encourage multiple wrappers around the same stream, however, behave significantly different depending on whether the InputStream allows look-ahead or not. An adversary can exploit this difference in behavior by, for example, redirecting System.in (from a file). This is also possible when a program uses the System.setIn() method to redirect System.in. That said, redirecting input from the console is a standard practice in UNIX based platforms but finds limited application in others such as Windows, where console programs are largely considered outmoded. In general, any input stream that supports non-blocking buffered I/O is susceptible to misuse.
...