Chapter Important notes on SML#

Here, we list the issues you should aware of in using SML# version 1.0.1.

1. On the function OS.FileSys.tmpName : unit -> string
   This is a function in the Standard ML Basis Library. The implementation in the 1.0.1 version uses C library function tmpnam. It is known that usage of this C function has a security problem. (See, for example, a man page in a BSD-family OS.) If one write an SML# program that manipulates temporary files using OS.FileSys.tmpName, the program may subject to the same security problem.

   When SML# compiler generates an executable program of a source program that references this function, typically through _require "basis.smi" declaration, the following warning message is printed:

   ???.o : In function `F45???':
   (????) : warning: the use of `tmpnam' is dangerous, better use `mkstemp'

   This is due to the fact that tmpnam is linked to the executable program.

   One of the causes of the security problem in creating a temporary file using C function tmpnam is the separation of the temporary name creation and the creation of the file that is actually used. We find it rather difficult to solve this problem by changing implementation of the function tmpName : unit -> string, whose signature is required by OS_FILE_SYS. We plan to develop a new structure that would serve as a secure, efficient and usable alternative to OS.FileSys.