Every serializable class that has private mutable instance variables must defensively copy them in the readObject() method. An attacker can tamper with the serialized form of such a class, appending extra references to the byte stream. When deserialized, this byte stream could allow the creation of a class instance whose internal variable references are controlled by the attacker. Consequently, this allows the instance of the container class to mutate and violate its class invariants.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="98fe03df6a710cb8-6f3e174f-42ca4743-99c5a3de-bb337010a4a2e9097e8c7d29"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="35610c19c79148a8-060a23e8-4817450b-a217a23f-a853045018323fec8d0aa1cd"><ac:plain-text-body><![CDATA[ | [[Bloch 2008 | AA. Bibliography#Bloch 08]] | Item 76: "Write readObject methods defensively" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d4c6786975060d4e-8fcaf036-43b24db5-bd908730-34fcb1635925a9947e3026eb"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. Bibliography#Sun 06]] | "Serialization specification: A.6 Guarding Unshared Deserialized Objects" | ]]></ac:plain-text-body></ac:structured-macro> |
...