The real fault seems to be in classes like AnnotationInvocationHandler or PriorityQueue (both part of the Java library), whose readObject() methods trustingly call some methods on their child objects.
AnnotationInvocationHandler calls map.entrySet(); PriorityQueue calls compare(). You just make sure the child object executes malicious code when executing those methods. For the child object, you can find a utility class such as LazyMap (from Commons) that executes a function while calling entrySet(). The function can be another utility class that executes some method by reflection (e.g. a Runtime method). These utility classes are all over the place to support functional-style or config-as-code programming.
But I think the real fault lies in those classes that execute child code during readObject(). It doesn't lie in the Commons classes that are used for the children.
"Literally" does not mean "very much like".
Actually*, "very", or "verily" (from Middle English "verray" = true, real) does (literally) mean "literally".
* And for that matter, so does "actually". In fact, it seems that almost every word ever invented that means "truly" or "actually" or "literally" or "completely" gets degraded though overuse of hypberbole to eventually mean "quite a lot".**
** Including "quite".
People usually point to the "expected value" as an argument that it's a bad bargain.
But it seems to me that the expected value is meaningless unless the experiment is performed often enough for the Law of Large Numbers to even out the results.
So, if a person plans to buy daily a ticket at 1/100 odds, you can make an expected-value argument. But if they plan to buy daily a ticket at 1/175000000 odds
There was a Doctor Who novel, I think this one, The Murder Game by Steve Lyons, where there was an "Assassination program"... a sophisticated malware package that just required to be configured with the victim's name, and it would search out means to physically kill them via computer-controlled objects.
I'm no expert, but even today it sounds almost possible. You need: (1) a way of tying victims to physical objects and locations (DMV records, toy purchases, planning permission applications,
If that sounds like an implausible engineering effort, remember that malware packages are incrementally improved on and made more powerful over time... it would start out with some simple and unlikely-to-succeed algorithms, and evolve into something with a huge array of killing options.
(Maybe at that point people would start taking privacy seriously.)
The next person to mention spaghetti stacks to me is going to have his head knocked off. -- Bill Conrad