Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All
Expand Minimize

CA2124: Wrap vulnerable finally clauses in outer try







Breaking Change

Non Breaking

In versions 1.0 and 1.1 of the .NET Framework, a public or protected method contains a try/catch/finally block. The finally block appears to reset security state and is not enclosed in a finally block.

This rule locates try/finally blocks in code that targets versions 1.0 and 1.1 of the .NET Framework that might be vulnerable to malicious exception filters present in the call stack. If sensitive operations such as impersonation occur in the try block, and an exception is thrown, the filter can execute before the finally block. For the impersonation example, this means that the filter would execute as the impersonated user. Filters are currently implementable only in Visual Basic.

Caution noteCaution

Note   In versions 2.0 and later of the .NET Framework, the runtime automatically protects a try/catch/ finally block from malicious exception filters, if the reset occurs directly within the method that contains the exception block.

Place the unwrapped try/finally in an outer try block. See the second example that follows. This forces the finally to execute before filter code.

Do not suppress a warning from this rule.


The following pseudo-code illustrates the pattern detected by this rule.


try {
   // Do some work.
   Impersonator imp = new Impersonator("John Doe");
finally {
   // Reset security state.

The following pseudo-code shows the pattern that you can use to protect your code and satisfy this rule.

try {
     try {
        // Do some work.
     finally {
        // Reset security state.

Community Additions

© 2015 Microsoft