Dont allow redirect for webfinger

src/fetch/mod.rs

@@ -74,7 +74,7 @@ pub async fn fetch_object_http<T: Clone, Kind: DeserializeOwned>(
     // Ensure id field matches final url after redirect
     if res.object_id.as_ref() != Some(&res.url) {
         if let Some(res_object_id) = res.object_id {
-        data.config.verify_url_valid(&res_object_id).await?;
+            data.config.verify_url_valid(&res_object_id).await?;
             // If id is different but still on the same domain, attempt to request object
             // again from url in id field.
             if res_object_id.domain() == res.url.domain() {

src/fetch/webfinger.rs

@@ -26,6 +26,9 @@ pub enum WebFingerError {
     /// The wefinger object did not contain any link to an activitypub item
     #[error("The webfinger object did not contain any link to an activitypub item")]
     NoValidLink,
+    /// Webfinger request was redirected which is not allowed
+    #[error("Webfinger request was redirected which is not allowed")]
+    RedirectNotAllowed,
 }
 
 impl WebFingerError {
@@ -68,16 +71,21 @@ where
         format!("{protocol}://{domain}/.well-known/webfinger?resource=acct:{identifier}");
     debug!("Fetching webfinger url: {}", &fetch_url);
 
-    let res: Webfinger = fetch_object_http_with_accept(
+    let res = fetch_object_http_with_accept(
         &Url::parse(&fetch_url).map_err(Error::UrlParse)?,
         data,
         &WEBFINGER_CONTENT_TYPE,
     )
-    .await?
+    .await?;
-    .object;
+    if res.url != fetch_url {
+        return Err(Error::WebfingerResolveFailed(
+            WebFingerError::RedirectNotAllowed,
+        ));
+    }
 
-    debug_assert_eq!(res.subject, format!("acct:{identifier}"));
+    debug_assert_eq!(res.object.subject, format!("acct:{identifier}"));
     let links: Vec<Url> = res
+        .object
         .links
         .iter()
         .filter(|link| {