CA2124: Wrap vulnerable finally clauses in outer try
This rule locates try/finally blocks in code that targets versions 1.0 and 1.1 of the .NET Framework that might be vulnerable to malicious exception filters present in the call stack. If sensitive operations such as impersonation occur in the try block, and an exception is thrown, the filter can execute before the finally block. For the impersonation example, this means that the filter would execute as the impersonated user. Filters are currently implementable only in Visual Basic.
Note In versions 2.0 and later of the .NET Framework, the runtime automatically protects a try/catch/ finally block from malicious exception filters, if the reset occurs directly within the method that contains the exception block.
The following pseudo-code illustrates the pattern detected by this rule.