* 2-2-sec:
  bump version
  Limit all multipart parts, not just files

* 2-2-sec:
  bump version
  Avoid ReDoS problem

This makes Rack 2.2 behavior similar to Rack 2.1 and Rack 3.0 in
regards to underscore in host names.

- Fixes #1968

Backports commit 9cad48e to version 2.2

Partial backport of 1970771

Differences from original commit:
- `#assert` is not deprecated
- `include Assertion` is not removed
- The assertion in `check_status` is the 2-2-stable version since the
  SPEC [change][1] to require statuses to be integers was merged before
  this
- `#dump` was added to the `REQUEST_METHOD` assertion [after][2] the
  original commit, so it was added here as well

This fixes an issue encountered when adding `Rack::Lint` to the Rails
test suite. Rails puts a lazily evaluated class inside the request env
that has the potential to raise when converted to a string. Since this
assertion in `Rack::Lint` calls `#inspect` on `env` whether or not `env`
is a `Hash`, the lazily evaluated class would raise at that point and
prevent the rest of `Rack::Lint` from validating the conformity of the
request.

By backporting this change, `#inspect` is now only called when the
`LintError` would be raised which avoids the problem.

[1]: ba25ade
[2]: b426cc2

Co-authored-by: Benoit Daloze <[email protected]>

It looks like this has been out of sync since additional assertions were
[added][1] to `Rack::Lint` concerning `SERVER_PORT`, `SERVER_NAME`, and
`HTTP_HOST`.

[1]: 290523f

Thanks svalkanov

[CVE-2024-26146]

If the sum of the requested ranges is larger than the file itself,
return an empty array. In other words, refuse to respond with any bytes.

[CVE-2024-26141]