From b1c372ea546cd2eef54fa487445ee565af583f36 Mon Sep 17 00:00:00 2001
From: Catherine <whitequark@whitequark.org>
Date: Mon, 22 Sep 2025 20:00:54 +0000
Subject: [PATCH] All subdomains of a forbidden domain are forbidden as well.

---
 src/auth.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/auth.go b/src/auth.go
index 0fc5d8f..26f1d86 100644
--- a/src/auth.go
+++ b/src/auth.go
@@ -379,7 +379,8 @@ func CheckForbiddenDomain(r *http.Request) error {
 
 	host = strings.ToLower(host)
 	for _, reservedDomain := range config.Limits.ForbiddenDomains {
-		if host == strings.ToLower(reservedDomain) {
+		reservedDomain = strings.ToLower(reservedDomain)
+		if host == reservedDomain || strings.HasSuffix(host, fmt.Sprintf(".%s", reservedDomain)) {
 			return AuthError{http.StatusForbidden, "forbidden domain"}
 		}
 	}