bffb83acf8
When allowPrivateProxy is true, the explicit proxy hostname is operator- configured and trusted. The SSRF guard was checking the proxy hostname against the target-scoped hostnameAllowlist (e.g. ["api.telegram.org"]), which rejected localhost and other local proxy hostnames. This broke Telegram media downloads (and any channel using a local proxy) after the url-fetch security hardening in 2026.4.x. Clear the hostnameAllowlist for the proxy hostname check while keeping private-network IP validation in place via allowPrivateNetwork. Fixes #61906 Co-authored-by: Devin Robison <drobison00@users.noreply.github.com>