mcp-searxng web_url_read tool vulnerable to unbounded memory allocation via missing Content-Length

The `web_url_read` MCP tool enforces its 5 MiB response-size limit exclusively by inspecting the `Content-Length` header of a preliminary HEAD request. When a server omits `Content-Length`, `checkContentLength()` returns `null`, the guard condition short-circuits to `false`, and `response.text()` loads the entire response body into memory without any byte cap.

Any unauthenticated attacker who controls or can redirect to an HTTP endpoint can force the server process to consume unbounded memory and CPU, leading to a Denial of Service. In HTTP transport mode, authentication is disabled by default, so AV:N/PR:N applies unconditionally. In stdio mode, an attacker can trigger the path via prompt injection.

Replace both `response.text()` calls with a streaming reader that aborts once the byte counter exceeds `maxContentLengthBytes` as shown in the remediation diff.