[3-2-stable] Add `HostAuthorization` rack-protection middleware (#2053)

[zzak]

The Sinatra project received a security report with the following details:

Title: Reliance on Untrusted Inputs in a Security Decision CWE ID: CWE-807 CVE ID: CVE-2024-21510 Credit: t0rchwo0d Description: The sinatra package is vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

The vulnerable code was introduced in fae7c011. Sinatra can not know whether the header value can be trusted or not without input from the app creator. This change introduce the host_authorization settings for that.

It is implemented as a Rack middleware, bundled with rack-protection, but not exposed as a default nor opt-in protection. It is meant to be used by itself, as sharing reaction with other protections is not ideal.

[zzak]

Will look into the test failures later