From 76637d415b509afe9e199b043467592eee342ef8 Mon Sep 17 00:00:00 2001
From: metabrixkt <admin@epserv.ru>
Date: Thu, 28 May 2026 00:56:09 +0500
Subject: [PATCH 1/2] fix: respect exclusive SFTP create requests Fixes
 pterodactyl/panel#4739

---
 sftp/handler.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sftp/handler.go b/sftp/handler.go
index 870dcd4bd..be856eb11 100644
--- a/sftp/handler.go
+++ b/sftp/handler.go
@@ -107,6 +107,8 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
 	// The specific permission required to perform this action. If the file exists on the
 	// system already it only needs to be an update, otherwise we'll check for a create.
 	permission := PermissionFileUpdate
+	flags := request.Pflags()
+	exists := true
 	_, sterr := h.fs.Stat(request.Filepath)
 	if sterr != nil {
 		if !errors.Is(sterr, os.ErrNotExist) {
@@ -114,6 +116,7 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
 			return nil, sftp.ErrSSHFxFailure
 		}
 		permission = PermissionFileCreate
+		exists = false
 	}
 	// Confirm the user has permission to perform this action BEFORE calling Touch, otherwise
 	// you'll potentially create a file on the system and then fail out because of user
@@ -121,6 +124,10 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
 	if !h.can(permission) {
 		return nil, sftp.ErrSSHFxPermissionDenied
 	}
+	if exists && flags.Creat && flags.Excl {
+		// SSH_FXF_CREAT with SSH_FXF_EXCL is an exclusive create request.
+		return nil, os.ErrExist
+	}
 	f, err := h.fs.Touch(request.Filepath, os.O_RDWR|os.O_TRUNC)
 	if err != nil {
 		l.WithField("flags", request.Flags).WithField("error", err).Error("failed to open existing file on system")

From ac2f4e1a1f517d434ccfbf64dea616f739b33a6e Mon Sep 17 00:00:00 2001
From: metabrixkt <admin@epserv.ru>
Date: Thu, 28 May 2026 01:08:51 +0500
Subject: [PATCH 2/2] fix: make exclusive SFTP creates atomic

---
 sftp/handler.go | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/sftp/handler.go b/sftp/handler.go
index be856eb11..cb1b25fca 100644
--- a/sftp/handler.go
+++ b/sftp/handler.go
@@ -124,12 +124,20 @@ func (h *Handler) Filewrite(request *sftp.Request) (io.WriterAt, error) {
 	if !h.can(permission) {
 		return nil, sftp.ErrSSHFxPermissionDenied
 	}
-	if exists && flags.Creat && flags.Excl {
+	openFlags := os.O_RDWR | os.O_TRUNC
+	if flags.Creat && flags.Excl {
 		// SSH_FXF_CREAT with SSH_FXF_EXCL is an exclusive create request.
-		return nil, os.ErrExist
+		if exists {
+			return nil, os.ErrExist
+		}
+		openFlags = os.O_RDWR | os.O_CREATE | os.O_EXCL
 	}
-	f, err := h.fs.Touch(request.Filepath, os.O_RDWR|os.O_TRUNC)
+	f, err := h.fs.Touch(request.Filepath, openFlags)
 	if err != nil {
+		if errors.Is(err, os.ErrExist) {
+			// Preserve exclusive-create semantics if the file appeared after the pre-check.
+			return nil, os.ErrExist
+		}
 		l.WithField("flags", request.Flags).WithField("error", err).Error("failed to open existing file on system")
 		return nil, sftp.ErrSSHFxFailure
 	}