diff --git a/core/modules/field/tests/src/Kernel/EntityReference/EntityReferenceItemTest.php b/core/modules/field/tests/src/Kernel/EntityReference/EntityReferenceItemTest.php
index 6dce67b45f..2d98de66d3 100644
--- a/core/modules/field/tests/src/Kernel/EntityReference/EntityReferenceItemTest.php
+++ b/core/modules/field/tests/src/Kernel/EntityReference/EntityReferenceItemTest.php
@@ -524,6 +524,7 @@ public function testAutocreateValidation() {
     $file = File::create([
       'filename' => $filename,
       'status' => 0,
+      'uid' => 1,
     ]);
 
     $entity = EntityTest::create([
diff --git a/core/modules/file/src/Entity/File.php b/core/modules/file/src/Entity/File.php
index a68b9bae9b..b8c130728c 100644
--- a/core/modules/file/src/Entity/File.php
+++ b/core/modules/file/src/Entity/File.php
@@ -234,6 +234,7 @@ public static function baseFieldDefinitions(EntityTypeInterface $entity_type) {
     $fields['uid'] = BaseFieldDefinition::create('entity_reference')
       ->setLabel(t('User ID'))
       ->setDescription(t('The user ID of the file.'))
+      ->setDefaultValueCallback('\Drupal\file\Entity\File::getCurrentUserId')
       ->setSetting('target_type', 'user');
 
     $fields['filename'] = BaseFieldDefinition::create('string')
@@ -274,4 +275,16 @@ public static function baseFieldDefinitions(EntityTypeInterface $entity_type) {
     return $fields;
   }
 
+  /**
+   * Default value callback for 'uid' base field definition.
+   *
+   * @see \Drupal\file\Entity\File::baseFieldDefinitions::baseFieldDefinitions().
+   *
+   * @return array
+   *   An array of default values.
+   */
+  public static function getCurrentUserId() {
+    return array(\Drupal::currentUser()->id());
+  }
+
 }
diff --git a/core/modules/file/src/FileAccessControlHandler.php b/core/modules/file/src/FileAccessControlHandler.php
index a82c460539..9475458c2b 100644
--- a/core/modules/file/src/FileAccessControlHandler.php
+++ b/core/modules/file/src/FileAccessControlHandler.php
@@ -47,10 +47,11 @@ protected function checkAccess(EntityInterface $entity, $operation, AccountInter
 
     if ($operation == 'delete' || $operation == 'update') {
       $account = $this->prepareUser($account);
-      $file_uid = $entity->get('uid')->getValue();
-      // Only the file owner can delete and update the file entity.
-      if ($account->id() == $file_uid[0]['target_id']) {
-        return AccessResult::allowed();
+      $file_uid = $entity->get('uid')->target_id;
+      // Only admins or the file owner can delete and update the file entity.
+      // @todo Create a new permission to handle this?
+      if ($account->hasPermission('administer nodes') || ($account->id() == $file_uid)) {
+        return AccessResult::allowed()->cachePerPermissions();
       }
       return AccessResult::forbidden();
     }
@@ -96,8 +97,6 @@ protected function checkCreateAccess(AccountInterface $account, array $context,
     // create file entities that are referenced from another entity
     // (e.g. an image for a article). A contributed module is free to alter
     // this to allow file entities to be created directly.
-    // @todo Update comment to mention REST module when
-    //   https://www.drupal.org/node/1927648 is fixed.
     return AccessResult::neutral();
   }
 
diff --git a/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php b/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php
new file mode 100644
index 0000000000..a3d3e18be4
--- /dev/null
+++ b/core/modules/file/src/Plugin/rest/resource/FileUploadResource.php
@@ -0,0 +1,226 @@
+<?php
+
+namespace Drupal\file\Plugin\rest\resource;
+
+use Drupal\Component\Plugin\DependentPluginInterface;
+use Drupal\rest\Plugin\ResourceBase;
+use Drupal\Component\Render\PlainTextOutput;
+use Drupal\Core\Entity\EntityFieldManagerInterface;
+use Drupal\Core\File\FileSystem;
+use Drupal\file\Entity\File;
+use Drupal\rest\Plugin\rest\resource\EntityResourceValidationTrait;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\HttpFoundation\File\Exception\AccessDeniedException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\HttpKernel\Exception\UnsupportedMediaTypeHttpException;
+use Symfony\Component\Serializer\SerializerInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+
+/**
+ * File upload resource
+ *
+ * @RestResource(
+ *   id = "file:upload",
+ *   label = @Translation("File Upload"),
+ *   serialization_class = "Drupal\file\Entity\File",
+ *   uri_paths = {
+ *     "canonical" = "/file/upload/{entity_type_id}/{bundle}/{field_name}",
+ *     "https://www.drupal.org/link-relations/create" = "/file/upload/{entity_type_id}/{bundle}/{field_name}"
+ *   }
+ * )
+ */
+class FileUploadResource extends ResourceBase implements DependentPluginInterface {
+
+  use EntityResourceValidationTrait;
+
+  /**
+   * @var \Drupal\Core\File\FileSystem
+   */
+  protected $fileSystem;
+
+  /**
+   * @var \Symfony\Component\Serializer\SerializerInterface|SerializerInterface
+   */
+  protected $serializer;
+
+  /**
+   * @var \Drupal\Core\Entity\EntityFieldManagerInterface
+   */
+  protected $entityFieldManager;
+
+  /**
+   * Constructs a FileUploadResource instance.
+   *
+   * @param array $configuration
+   *   A configuration array containing information about the plugin instance.
+   * @param string $plugin_id
+   *   The plugin_id for the plugin instance.
+   * @param mixed $plugin_definition
+   *   The plugin implementation definition.
+   * @param array $serializer_formats
+   *   The available serialization formats.
+   * @param \Psr\Log\LoggerInterface $logger
+   *   A logger instance.
+   * @param \Drupal\Core\File\FileSystem $file_system
+   *   The file system service.
+   * @param \Drupal\Core\Entity\EntityFieldManagerInterface $entity_field_manager
+   *   The entity field manager.
+   *
+   */
+  public function __construct(array $configuration, $plugin_id, $plugin_definition,$serializer_formats, LoggerInterface $logger, FileSystem $file_system, EntityFieldManagerInterface $entity_field_manager) {
+    parent::__construct($configuration, $plugin_id, $plugin_definition, $serializer_formats, $logger);
+    $this->fileSystem = $file_system;
+    $this->entityFieldManager = $entity_field_manager;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) {
+    return new static(
+      $configuration,
+      $plugin_id,
+      $plugin_definition,
+      $container->getParameter('serializer.formats'),
+      $container->get('logger.factory')->get('rest'),
+      $container->get('file_system'),
+      $container->get('entity_field.manager')
+    );
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function calculateDependencies() {
+    return [
+      'module' => ['file']
+    ];
+  }
+
+  /**
+   * Creates a file from endpoint.
+   *
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   * @param \Drupal\file\FileInterface $file
+   */
+  public function post(Request $request, $entity_type_id, $bundle, $field_name) {
+    $this->validateOctetStream($request);
+    // @todo Validate for file name too.
+
+    $field_definitions = $this->entityFieldManager->getFieldDefinitions($entity_type_id, $bundle);
+
+    if (!isset($field_definitions[$field_name])) {
+      throw new BadRequestHttpException(sprintf('Field "%s" does not exist', $field_name));
+    }
+
+    // @todo check the definition is a file field.
+    $field_definition = $field_definitions[$field_name];
+
+    // Check access.
+    if (!$field_definition->access('create')) {
+      throw new AccessDeniedException(sprintf('Access denied for field "%s"', $field_name));
+    }
+
+    $destination = $this->getUploadLocation($field_definition->getFieldStorageDefinition()->getSettings());
+
+    // Grab the filename as described in Content-Disposition header.
+    $content_disposition = $request->headers->get('Content-Disposition');
+    $filename = uniqid();
+    // @todo find a better way to do this.
+    preg_match('/filename=\"(.*?)\"/', $content_disposition, $matches);
+    if ($matches) {
+      $filename = $matches[1];
+    }
+
+    // Check the destination file path is writable.
+    if (!is_writable($this->fileSystem->realpath($destination))) {
+      throw new HttpException(500, 'Destination file path is not writable');
+    }
+
+    // Create the file.
+    $file_uri = "{$destination}/{$filename}";
+
+    $file = File::create([
+      'uri' => $file_uri,
+    ]);
+
+    $this->streamUploadData($file_uri);
+
+    // @todo Also validate based on the above field definition.
+    $this->validate($file);
+
+    $file->save();
+
+    return $file;
+  }
+
+  /**
+   * Streams file upload data to temporary file and moves to file destination.
+   *
+   * @param string $destination_uri
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+   */
+  protected function streamUploadData($destination_uri) {
+    // 'rb' is needed so reading works correctly on windows environments too.
+    $file_data = fopen('php://input','rb');
+
+    $temp_file_name = $this->fileSystem->tempnam('temporary://', 'file');
+
+    if ($temp_file = fopen($temp_file_name, 'wb')) {
+      while (!feof($file_data)) {
+        fwrite($temp_file, fread($file_data, 8192));
+      }
+
+      fclose($temp_file);
+
+      // Move the file to the correct location based on the file entity,
+      // replacing any existing file.
+      if (!file_unmanaged_move($temp_file_name, $uri, FILE_EXISTS_REPLACE)) {
+        throw new HttpException(500, 'Temporary file could not be moved to file location');
+      }
+    }
+    else {
+      $this->getLogger('file system')->error('Temporary file "%path" could not be opened for file upload', ['%path' => $temp_file_name]);
+      throw new HttpException(500, 'Temporary file could not be opened');
+    }
+
+    fclose($file_data);
+  }
+
+  /**
+   * Validates the Content-Type header for the request.
+   *
+   * @param \Symfony\Component\HttpKernel\Request $request
+   *   The request to validate.
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\UnsupportedMediaTypeHttpException
+   */
+  protected function validateOctetStream(Request $request) {
+    if ($request->headers->get('Content-Type') !== 'application/octet-stream') {
+      throw new UnsupportedMediaTypeHttpException('The "application/octet-stream" content type must be used to send binary file data');
+    }
+  }
+
+  /**
+   * Determines the URI for a file field.
+   *
+   * @param array $settings
+   *   The array of field settings.
+   *
+   * @return string
+   *   An unsanitized file directory URI with tokens replaced. The result of
+   *   the token replacement is then converted to plain text and returned.
+   */
+  protected function getUploadLocation(array $settings) {
+    $destination = trim($settings['file_directory'], '/');
+
+    // Replace tokens. As the tokens might contain HTML we convert it to plain
+    // text.
+    $destination = PlainTextOutput::renderFromHtml(\Drupal::token()->replace($destination, $data));
+    return $settings['uri_scheme'] . '://' . $destination;
+  }
+
+}
diff --git a/core/modules/file/tests/src/Functional/FileUploadTest.php b/core/modules/file/tests/src/Functional/FileUploadTest.php
new file mode 100644
index 0000000000..f0d576dd3b
--- /dev/null
+++ b/core/modules/file/tests/src/Functional/FileUploadTest.php
@@ -0,0 +1,106 @@
+<?php
+
+namespace Drupal\Tests\file\Functional;
+
+use Drupal\Core\Url;
+use Drupal\file\Entity\File;
+use Drupal\Tests\BrowserTestBase;
+use GuzzleHttp\RequestOptions;
+
+/**
+ * Tests binary data file upload route.
+ *
+ * @group file
+ */
+class FileUploadTest extends BrowserTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = ['file', 'node'];
+
+  /**
+   * Created file entity.
+   *
+   * @var \Drupal\file\Entity\File
+   */
+  protected $file;
+
+  /**
+   * An authenticated user.
+   *
+   * @var \Drupal\user\UserInterface
+   */
+  protected $user;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    // Create a file so binary data uploading can be used on it.
+    file_put_contents('public://example.txt', 'TEST');
+
+    // Create a user to use as the file owner.
+    //$this->adminUser = $this->drupalCreateUser(['access content', 'access administration pages', 'administer site configuration', 'administer users', 'administer permissions', 'administer content types', 'administer node fields', 'administer node display', 'administer nodes', 'bypass node access']);
+    $this->user = $this->drupalCreateUser([], 'user1', TRUE);
+    $this->drupalLogin($this->user);
+
+    $this->file = File::create([
+      'uid' => $this->user->id(),
+      'uri' => 'public://example.txt',
+    ]);
+
+    $this->file->save();
+
+    $this->refreshVariables();
+  }
+
+  /**
+   * Tests using the file upload route.
+   */
+  public function testFileUpload() {
+    $new_file_data = 'TEST WITH NEW DATA';
+
+    // The wrong content type should return a 415 code.
+    $response = $this->fileRequest(Url::fromRoute('file.upload', ['file' => $this->file->id()]), $new_file_data, 'application/json');
+    $this->assertSame(415, $response->getStatusCode());
+
+    $response = $this->fileRequest(Url::fromRoute('file.upload', ['file' => $this->file->id()]), $new_file_data);
+
+    $this->assertSame(200, $response->getStatusCode());
+    $this->assertSame('OK', (string) $response->getBody());
+    $this->assertSame($new_file_data, file_get_contents('public://example.txt'));
+  }
+
+  /**
+   * Performs a file upload request. Wraps the Guzzle HTTP client.
+   *
+   * @see \GuzzleHttp\ClientInterface::request()
+   *
+   * @param string $method
+   *   HTTP method.
+   * @param \Drupal\Core\Url $url
+   *   URL to request.
+   * @param array $request_options
+   *   Request options to apply.
+   *
+   * @return \Psr\Http\Message\ResponseInterface
+   */
+  protected function fileRequest(Url $url, $file_contents, $content_type = 'application/octet-stream') {
+    $request_options = [];
+    $request_options[RequestOptions::HTTP_ERRORS] = FALSE;
+    $request_options['headers']['Content-Type'] = $content_type;
+    $request_options['body'] = $file_contents;
+
+    $session = $this->getSession();
+    $this->prepareRequest();
+
+    $client = $session->getDriver()->getClient()->getClient();
+    return $client->request('POST', $url->setAbsolute(TRUE)->toString(), $request_options);
+  }
+
+}
diff --git a/core/modules/hal/hal.services.yml b/core/modules/hal/hal.services.yml
index 97fcbfb13d..39d3dd8104 100644
--- a/core/modules/hal/hal.services.yml
+++ b/core/modules/hal/hal.services.yml
@@ -16,7 +16,7 @@ services:
     class: Drupal\hal\Normalizer\FileEntityNormalizer
     tags:
       - { name: normalizer, priority: 20 }
-    arguments: ['@entity.manager', '@http_client', '@hal.link_manager', '@module_handler']
+    arguments: ['@entity.manager', '@hal.link_manager', '@module_handler']
   serializer.normalizer.entity.hal:
     class: Drupal\hal\Normalizer\ContentEntityNormalizer
     arguments: ['@hal.link_manager', '@entity.manager', '@module_handler']
diff --git a/core/modules/hal/src/Normalizer/FileEntityNormalizer.php b/core/modules/hal/src/Normalizer/FileEntityNormalizer.php
index ec870e9e14..5e45d59711 100644
--- a/core/modules/hal/src/Normalizer/FileEntityNormalizer.php
+++ b/core/modules/hal/src/Normalizer/FileEntityNormalizer.php
@@ -4,8 +4,8 @@
 
 use Drupal\Core\Entity\EntityManagerInterface;
 use Drupal\Core\Extension\ModuleHandlerInterface;
+use Drupal\file\FileInterface;
 use Drupal\hal\LinkManager\LinkManagerInterface;
-use GuzzleHttp\ClientInterface;
 
 /**
  * Converts the Drupal entity object structure to a HAL array structure.
@@ -17,31 +17,20 @@ class FileEntityNormalizer extends ContentEntityNormalizer {
    *
    * @var string
    */
-  protected $supportedInterfaceOrClass = 'Drupal\file\FileInterface';
-
-  /**
-   * The HTTP client.
-   *
-   * @var \GuzzleHttp\ClientInterface
-   */
-  protected $httpClient;
+  protected $supportedInterfaceOrClass = FileInterface::class;
 
   /**
    * Constructs a FileEntityNormalizer object.
    *
    * @param \Drupal\Core\Entity\EntityManagerInterface $entity_manager
    *   The entity manager.
-   * @param \GuzzleHttp\ClientInterface $http_client
-   *   The HTTP Client.
    * @param \Drupal\hal\LinkManager\LinkManagerInterface $link_manager
    *   The hypermedia link manager.
    * @param \Drupal\Core\Extension\ModuleHandlerInterface $module_handler
    *   The module handler.
    */
-  public function __construct(EntityManagerInterface $entity_manager, ClientInterface $http_client, LinkManagerInterface $link_manager, ModuleHandlerInterface $module_handler) {
+  public function __construct(EntityManagerInterface $entity_manager, LinkManagerInterface $link_manager, ModuleHandlerInterface $module_handler) {
     parent::__construct($link_manager, $entity_manager, $module_handler);
-
-    $this->httpClient = $http_client;
   }
 
   /**
@@ -55,16 +44,4 @@ public function normalize($entity, $format = NULL, array $context = []) {
     return $data;
   }
 
-  /**
-   * {@inheritdoc}
-   */
-  public function denormalize($data, $class, $format = NULL, array $context = []) {
-    $file_data = (string) $this->httpClient->get($data['uri'][0]['value'])->getBody();
-
-    $path = 'temporary://' . drupal_basename($data['uri'][0]['value']);
-    $data['uri'] = file_unmanaged_save_data($file_data, $path);
-
-    return $this->entityManager->getStorage('file')->create($data);
-  }
-
 }
diff --git a/core/modules/hal/tests/src/Functional/FileDenormalizeTest.php b/core/modules/hal/tests/src/Functional/FileDenormalizeTest.php
index 05ee234893..8202a367da 100644
--- a/core/modules/hal/tests/src/Functional/FileDenormalizeTest.php
+++ b/core/modules/hal/tests/src/Functional/FileDenormalizeTest.php
@@ -41,35 +41,10 @@ public function testFileDenormalize() {
 
     $this->assertTrue($denormalized instanceof File, 'A File instance was created.');
 
-    $this->assertIdentical('temporary://' . $file->getFilename(), $denormalized->getFileUri(), 'The expected file URI was found.');
-    $this->assertTrue(file_exists($denormalized->getFileUri()), 'The temporary file was found.');
-
     $this->assertIdentical($file->uuid(), $denormalized->uuid(), 'The expected UUID was found');
     $this->assertIdentical($file->getMimeType(), $denormalized->getMimeType(), 'The expected MIME type was found.');
     $this->assertIdentical($file->getFilename(), $denormalized->getFilename(), 'The expected filename was found.');
     $this->assertTrue($denormalized->isPermanent(), 'The file has a permanent status.');
-
-    // Try to denormalize with the file uri only.
-    $file_name = 'test_2.txt';
-    $file_path = 'public://' . $file_name;
-
-    file_put_contents($file_path, 'hello world');
-    $file_uri = file_create_url($file_path);
-
-    $data = [
-      'uri' => [
-        ['value' => $file_uri],
-      ],
-    ];
-
-    $denormalized = $serializer->denormalize($data, 'Drupal\file\Entity\File', 'hal_json');
-
-    $this->assertIdentical('temporary://' . $file_name, $denormalized->getFileUri(), 'The expected file URI was found.');
-    $this->assertTrue(file_exists($denormalized->getFileUri()), 'The temporary file was found.');
-
-    $this->assertIdentical('text/plain', $denormalized->getMimeType(), 'The expected MIME type was found.');
-    $this->assertIdentical($file_name, $denormalized->getFilename(), 'The expected filename was found.');
-    $this->assertFalse($denormalized->isPermanent(), 'The file has a permanent status.');
   }
 
 }