sandbox uses xrange on Python 2

diff --git a/CHANGES.rst b/CHANGES.rst
index 78e1329410e8c2f6b6f3200477c5aa83b3e4caf9..8b7c7a5b43eac3d3908057dfeab9bdc64556dced 100644 (file)
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -5,9 +5,12 @@ Jinja Changelog
 Version 2.10.2
 --------------
 
-_Unreleased_
+Unreleased
+
+-   Fix Python 3.7 deprecation warnings.
+-   Using ``range`` in the sandboxed environment uses ``xrange`` on
+    Python 2 to avoid memory use. #933
 
--  Fix Python 3.7 deprecation warnings.
 
 Version 2.10.1
 --------------

diff --git a/jinja2/sandbox.py b/jinja2/sandbox.py
index 97d3d21ee0e8b3876fe6acc08574af50e9c56f44..08c22f4f13371376c380d1a3223121aa7f0723cd 100644 (file)
--- a/jinja2/sandbox.py
+++ b/jinja2/sandbox.py
@@ -16,7 +16,7 @@ import types
 import operator
 from jinja2.environment import Environment
 from jinja2.exceptions import SecurityError
-from jinja2._compat import string_types, PY2, abc
+from jinja2._compat import string_types, PY2, abc, range_type
 from jinja2.utils import Markup
 
 from markupsafe import EscapeFormatter
@@ -146,10 +146,14 @@ def safe_range(*args):
     """A range that can't generate ranges with a length of more than
     MAX_RANGE items.
     """
-    rng = range(*args)
+    rng = range_type(*args)
+
     if len(rng) > MAX_RANGE:
-        raise OverflowError('range too big, maximum size for range is %d' %
-                            MAX_RANGE)
+        raise OverflowError(
+            "Range too big. The sandbox blocks ranges larger than"
+            " MAX_RANGE (%d)." % MAX_RANGE
+        )
+
     return rng
 
 

diff --git a/tests/test_api.py b/tests/test_api.py
index 5708144fbcc5983f70f935f4de8402320efea680..26dd4da532aef0c2c6722113c557de70b72266dd 100644 (file)
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -68,7 +68,7 @@ class TestExtendedAPI(object):
         c.next()
         assert c.current == 2
         c.reset()
-        assert c.current == 1        
+        assert c.current == 1
 
     def test_expressions(self, env):
         expr = env.compile_expression("foo")
@@ -104,6 +104,15 @@ class TestExtendedAPI(object):
         t = env.from_string('{{ foo }}')
         assert t.render(foo='<foo>') == '<foo>'
 
+    def test_sandbox_max_range(self, env):
+        from jinja2.sandbox import SandboxedEnvironment, MAX_RANGE
+
+        env = SandboxedEnvironment()
+        t = env.from_string("{% for item in range(total) %}{{ item }}{% endfor %}")
+
+        with pytest.raises(OverflowError):
+            t.render(total=MAX_RANGE + 1)
+
 
 @pytest.mark.api
 @pytest.mark.meta