GHSA-QFGR-CRR9-7R49 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Summary Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header such as: http Forwarded: for="127.0.0.1;host=evil.com;proto=https" can be interpreted by Rack as...