From 681b27e269c7f89f13ab28e8627ae6d1ba3cada1 Mon Sep 17 00:00:00 2001
From: Sorunome <mail@sorunome.de>
Date: Mon, 15 Feb 2021 12:19:05 +0100
Subject: [PATCH] fix: Don't allow transitive trust unless it is for ouself

---
 lib/src/utils/device_keys_list.dart | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/src/utils/device_keys_list.dart b/lib/src/utils/device_keys_list.dart
index 6ae05e25..0daccfce 100644
--- a/lib/src/utils/device_keys_list.dart
+++ b/lib/src/utils/device_keys_list.dart
@@ -229,6 +229,10 @@ abstract class SignableKey extends MatrixSignableKey {
           !client.userDeviceKeys.containsKey(otherUserId)) {
         continue;
       }
+      // we don't allow transitive trust unless it is for ourself
+      if (otherUserId != userId && otherUserId != client.userID) {
+        continue;
+      }
       for (final signatureEntry in signatureEntries.value.entries) {
         final fullKeyId = signatureEntry.key;
         final signature = signatureEntry.value;