Two separate vulnerabilities:

1. Unbounded buffering of uploaded data waiting for a boundary.

2. Unbounded buffering of uploaded data waiting for complete
   mime part header.

The respective limits are 16KB for (1) and 64KB for (2), but those
limits only apply for non-default buffer sizes. If left at the
default configuration, 1MB (default buffer size) will be the limit
for both.

This changes one EmptyContentError exception to an Error exception,
but EmptyContentError is probably the wrong error to raise for a
very long boundary.

The limit is 16MB by default, and it can be adjusted with the
RACK_MULTIPART_MAX_BUFFERED_UPLOAD_SIZE environment variable.

Data stored in temporary files is not counted against this limit.
However data for other parameters, as well as the data for the
mime headers for each parameter (which is retained during parsing)
is counted against the limit.

…y bypass.

- Ignore `HTTP_X_SENDFILE_TYPE` header from requests to prevent attackers from enabling sendfile features.
- Only read `HTTP_X_ACCEL_MAPPING` when `x-accel-redirect` is explicitly configured and no app-level mappings exist.
- Prefer `\A` instead of `^` to match the start of path mappings.

…austion.

- Limit read to `query_parser.bytesize_limit`.