diff --git a/core/modules/system/lib/Drupal/system/Tests/System/SystemFilePathsTest.php b/core/modules/system/lib/Drupal/system/Tests/System/SystemFilePathsTest.php
new file mode 100644
index 0000000..3b4a5f0
--- /dev/null
+++ b/core/modules/system/lib/Drupal/system/Tests/System/SystemFilePathsTest.php
@@ -0,0 +1,63 @@
+<?php
+
+/**
+ * @file
+ * Contains Drupal\system\Tests\System\SystemFilePathsTest.
+ */
+
+namespace Drupal\system\Tests\System;
+
+use Drupal\simpletest\WebTestBase;
+
+/*
+ * Test setting paths for the file system.
+ */
+class SystemFilePathsTest extends WebTestBase {
+
+  public static function getInfo() {
+    return array(
+      'name' => 'System file paths',
+      'description' => 'Tests that protected file directories are not the same as public file directories.',
+      'group' => 'System',
+    );
+  }
+
+  function setUp() {
+    parent::setUp(array('system_test'));
+
+    // Create an administrator user.
+    $this->adminUser = $this->drupalCreateUser(array('access administration pages', 'administer site configuration'));
+    $this->drupalLogin($this->adminUser);
+  }
+
+  /**
+   * Test that the private and temporary file paths must differ from the public.
+   */
+  function testUniquePrivateDirectoryPath() {
+    $this->drupalGet('admin/config/media/file-system');
+
+    // First, test with relative directories.
+    $edit = array();
+    $edit['file_public_path'] = 'sites/default/files';
+    $edit['file_private_path'] = 'sites/default/files';
+    $edit['file_temporary_path'] = 'sites/default/files';
+
+    $this->drupalPost('admin/config/media/file-system', $edit, t('Save configuration'));
+
+    $this->assertText('The private file system path must not be the same as the public file system path.', 'Relative private path is not public path.');
+    $this->assertText('The temporary directory must not be the same as the public file system path.', 'Relative temporary path is not public path.');
+
+    // Now, test with absolute paths and "..".
+    $edit = array();
+    $edit['file_public_path'] = '/tmp/../tmp';
+    $edit['file_private_path'] = '/tmp';
+    $edit['file_temporary_path'] = '/tmp';
+
+    $this->drupalPost('admin/config/media/file-system', $edit, t('Save configuration'));
+
+    $this->assertText('The private file system path must not be the same as the public file system path.', 'Absolute private path is not public path.');
+    $this->assertText('The temporary directory must not be the same as the public file system path.', 'Absolute temporary path is not public path.');
+
+  }
+
+}
diff --git a/core/modules/system/system.admin.inc b/core/modules/system/system.admin.inc
index d08c4ce..e3e435d 100644
--- a/core/modules/system/system.admin.inc
+++ b/core/modules/system/system.admin.inc
@@ -1720,17 +1720,22 @@ function system_clear_page_cache_submit($form, &$form_state) {
 /**
  * Form builder; Configure the site file handling.
  *
- * @ingroup forms
  * @see system_settings_form()
+ * @see system_file_system_settings_validate()
+ * @see system_file_system_settings_submit()
+ * @ingroup forms
  */
 function system_file_system_settings() {
+  $form = array(
+    '#validate' => array('system_file_system_settings_validate'),
+    '#submit' => array('system_file_system_settings_submit'),
+  );
   $form['file_public_path'] = array(
     '#type' => 'textfield',
     '#title' => t('Public file system path'),
     '#default_value' => variable_get('file_public_path', conf_path() . '/files'),
     '#maxlength' => 255,
     '#description' => t('A local file system path where public files will be stored. This directory must exist and be writable by Drupal. This directory must be relative to the Drupal installation directory and be accessible over the web.'),
-    '#after_build' => array('system_check_directory'),
   );
 
   $form['file_private_path'] = array(
@@ -1739,7 +1744,6 @@ function system_file_system_settings() {
     '#default_value' => variable_get('file_private_path', ''),
     '#maxlength' => 255,
     '#description' => t('An existing local file system path for storing private files. It should be writable by Drupal and not accessible over the web. See the online handbook for <a href="@handbook">more information about securing private files</a>.', array('@handbook' => 'http://drupal.org/documentation/modules/file')),
-    '#after_build' => array('system_check_directory'),
   );
 
   $form['file_temporary_path'] = array(
@@ -1748,7 +1752,6 @@ function system_file_system_settings() {
     '#default_value' => variable_get('file_temporary_path', file_directory_temp()),
     '#maxlength' => 255,
     '#description' => t('A local file system path where temporary files will be stored. This directory should not be accessible over the web.'),
-    '#after_build' => array('system_check_directory'),
   );
   // Any visible, writeable wrapper can potentially be used for the files
   // directory, including a remote file system that integrates with a CDN.
@@ -1770,6 +1773,41 @@ function system_file_system_settings() {
 }
 
 /**
+ * Form validation handler for the system_file_system_settings() form.
+ *
+ * Validates that the private and temporary directories do not resolve to the
+ * same location as the public directory.
+ *
+ * @see system_file_system_settings_submit()
+ */
+function system_file_system_settings_validate($form, &$form_state) {
+  $resolved_public_path = realpath($form['file_public_path']['#value']);
+  $resolved_private_path = realpath($form['file_private_path']['#value']);
+  $resolved_temporary_path = realpath($form['file_temporary_path']['#value']);
+
+  if ($resolved_public_path == $resolved_private_path) {
+    form_set_error('file_private_path', t('The private file system path must not be the same as the public file system path.'));
+  }
+
+  if ($resolved_public_path == $resolved_temporary_path) {
+    form_set_error('file_temporary_path', t('The temporary directory must not be the same as the public file system path.'));
+  }
+}
+
+/**
+ * Form submission handler for the system_file_system_settings() form.
+ *
+ * Verify public, private, and temporary paths exist, or can be created.
+ *
+ * @see system_file_system_settings_validate()
+ */
+function system_file_system_settings_submit($form, &$form_state) {
+  system_check_directory($form['file_public_path'], FALSE);
+  system_check_directory($form['file_private_path'], TRUE);
+  system_check_directory($form['file_temporary_path'], TRUE);
+}
+
+/**
  * Form builder; Configure site image toolkit usage.
  *
  * @ingroup forms
diff --git a/core/modules/system/system.module b/core/modules/system/system.module
index 950fee6..24081b1 100644
--- a/core/modules/system/system.module
+++ b/core/modules/system/system.module
@@ -2662,10 +2662,14 @@ function system_admin_menu_block($item) {
  * This function is called from the system_settings form to check all core
  * file directories (file_public_path, file_private_path, file_temporary_path).
  *
- * @param $form_element
+ * @param array $form_element
  *   The form element containing the name of the directory to check.
+ * @param bool $private
+ *   (optional) If $private == TRUE, create an .htaccess file configured for
+ *   secure access in the directory specified by $form_element.  Defaults to
+ *   TRUE.
  */
-function system_check_directory($form_element) {
+function system_check_directory($form_element, $private = TRUE) {
   $directory = $form_element['#value'];
   if (strlen($directory) == 0) {
     return $form_element;
@@ -2683,14 +2687,7 @@ function system_check_directory($form_element) {
     watchdog('file system', 'The directory %directory exists but is not writable and could not be made writable.', array('%directory' => $directory), WATCHDOG_ERROR);
   }
   elseif (is_dir($directory)) {
-    if ($form_element['#name'] == 'file_public_path') {
-      // Create public .htaccess file.
-      file_save_htaccess($directory, FALSE);
-    }
-    else {
-      // Create private .htaccess file.
-      file_save_htaccess($directory);
-    }
+    file_save_htaccess($directory, $private);
   }
 
   return $form_element;
