Invoking overridable methods from the readObject() method can cause permit the overriding method to read the state of the subclass before it is fixed. This is fully constructed, because the base class is deserialized first, followed by the subclass. Also see the related guideline MET07-J. Do not invoke overridable methods in clone().
...
This compliant solution removes the call to the overridable method. If this cannot be doneWhen removing such calls is infeasible, ensure that the overridable method is declared private or final.
...
| Wiki Markup |
|---|
*SER11-EX1:* "The {{readObject}} methods will usuallyoften call {{java.io.ObjectInputStream.defaultReadObject}}, which is an overridable method" \[[SCG 2009|AA. Bibliography#SCG 09]\]. Such calls are explicitly permitted. |
Risk Assessment
Invoking overridable methods from the readObject() method can lead to initialization errors.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SER11-J | low | probable | medium | P4 | L3 |
Automated Detection
...
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
...