From de82ea339c97c96d2354909681dc88973008fa02 Mon Sep 17 00:00:00 2001
From: Witold Filipczyk <witekfl@poczta.onet.pl>
Date: Wed, 21 Sep 2022 19:40:48 +0200
Subject: [PATCH] [xhr] check allowed methods for open.

Allowed are only GET, POST or HEAD
---
 src/ecmascript/spidermonkey/xhr.cpp | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/ecmascript/spidermonkey/xhr.cpp b/src/ecmascript/spidermonkey/xhr.cpp
index ce834928f..3a2c9a6f3 100644
--- a/src/ecmascript/spidermonkey/xhr.cpp
+++ b/src/ecmascript/spidermonkey/xhr.cpp
@@ -105,6 +105,7 @@ struct xhr {
 	char *statusText;
 	char *upload;
 	bool withCredentials;
+	int method;
 	int readyState;
 	int status;
 	int timeout;
@@ -276,6 +277,28 @@ xhr_open(JSContext *ctx, unsigned int argc, JS::Value *rval)
 	if (!xhr) {
 		return false;
 	}
+	char *method = jsval_to_string(ctx, args[0]);
+
+	if (!method) {
+		return false;
+	}
+
+	const char *allowed[] = { "", "GET", "HEAD", "POST", NULL };
+	bool method_ok = false;
+
+	for (int i = 1; allowed[i]; i++) {
+		if (!strcasecmp(allowed[i], method)) {
+			method_ok = true;
+			xhr->method = i;
+			break;
+		}
+	}
+	mem_free(method);
+
+	if (!method_ok) {
+		return false;
+	}
+
 	mem_free_set(&xhr->responseURL, jsval_to_string(ctx, args[1]));
 	args.rval().setUndefined();