diff --git a/file_entity.module b/file_entity.module
index 5d058e4..78eedfb 100644
--- a/file_entity.module
+++ b/file_entity.module
@@ -426,6 +426,9 @@ function file_entity_permission() {
     'create files' => array(
       'title' => t('Add and upload new files'),
     ),
+    'choose file destination' => array(
+      'title' => t('Select a destination for each uploaded file'),
+    ),
     'view own private files' => array(
       'title' => t('View own private files'),
     ),
diff --git a/file_entity.pages.inc b/file_entity.pages.inc
index a00245a..30330a0 100644
--- a/file_entity.pages.inc
+++ b/file_entity.pages.inc
@@ -112,6 +112,17 @@ function file_entity_add_upload_step_upload($form, &$form_state, array $options
     '#default_value' => isset($form_state['storage']['upload']) ? $form_state['storage']['upload'] : NULL,
   );
 
+  if (user_access('choose file destination')) {
+    $form['path'] = array(
+      '#type' => 'textfield',
+      '#title' => t('Upload path'),
+      '#description' => t('Enter the path within the upload folder where you would like to place the file (e.g. "documents/finance").  Do not add preceding or trailing slashes.  Leave blank to keep it at the root, with no subfolders.'),
+      '#default_value' => '',
+      '#required' => FALSE,
+      '#maxlength' => 255,
+    );
+  }
+
   $form['actions'] = array('#type' => 'actions');
   $form['actions']['next'] = array(
     '#type' => 'submit',
@@ -439,6 +450,24 @@ function file_entity_add_upload_submit($form, &$form_state) {
       // Change the file from temporary to permanent.
       $file->status = FILE_STATUS_PERMANENT;
 
+      // Move the file to the specified target directory if the user has
+      // the proper permission.
+      if (user_access('choose file destination')) {
+
+        // Get the URI for the target path.
+        $uri_new = file_entity_upload_destination_uri(array(
+          'uri_scheme' => file_uri_scheme($file->uri),
+          'file_directory' => $form_state['storage']['path'],
+        )) . "/" . drupal_basename($file->uri);
+
+        // If it changed, move the file to its new location.
+        if ($file->uri != $uri_new) {
+          $path = drupal_dirname($uri_new);
+          file_prepare_directory($path, FILE_CREATE_DIRECTORY | FILE_MODIFY_PERMISSIONS);
+          $file = file_move($file, $uri_new, FILE_EXISTS_RENAME);
+        }
+      }
+
       // Save the form fields.
       // Keep in mind that the values for the Field API fields must be in
       // $form_state['values'] and not in ['storage']. This is true as long as
@@ -494,7 +523,12 @@ function file_entity_upload_destination_uri(array $params, array $data = array()
     'file_directory' => '',
   );
 
-  $destination = trim($params['file_directory'], '/');
+  // Sanitize the provided path by removing any slashes and dots from the
+  // beginning and end, and neutralize any attempts to traverse up the tree.
+  // We're assuming it's not necessary to run check_url() on it because this is
+  // usually done on output.
+  $destination = trim($params['file_directory'], '/.');
+  $destination = str_replace('/../', '/', $destination);
 
   // Replace tokens.
   $destination = token_replace($destination, $data);