Java input classes such as Scanner and BufferedInputStream facilitate fast, non-blocking I/O by buffering an underlying input stream. Programs can create multiple wrappers on an InputStream. Programs that use multiple wrappers around a single stream, however, can behave unpredictably depending on whether the wrappers allow look-ahead. An adversary can attackercan exploit this difference in behavior by, for example, redirecting System.in (from a file) or by using the System.setIn() method to redirect System.in. In general, any input stream that supports non-blocking buffered I/O is susceptible to this form of misuse.
Any An input stream may must not have more than one buffered wrapper created over it. Instead, create and use only one wrapper per input stream, either by passing it as an argument to the methods that need it or by declaring it as a class variable.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="40a3f262e4305882-e42aaeab-4bb748c7-b2b1bf31-8a7db2f5f447b25e6ec382c9"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method read | http://java.sun.com/javase/6/docs/api/java/io/InputStream.html#read()] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9a8936115f033b30-1991922d-43194f28-adb48206-a70a0a31a2ad8f97d88f43c8"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [class BufferedInputStream | http://java.sun.com/javase/6/docs/api/java/io/BufferedInputStream.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...