diff --git a/INSTALL.txt b/INSTALL.txt
index d221d09933d73a45bd7f1aebdb473e59685301fc..290e9a84b28a24ce1ba3cd96b371cfd4ef619bde 100644
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -189,6 +189,13 @@ INSTALLATION
    by the Drupal server process. You can change the name of this
    subdirectory at "Administer > Settings > File system settings".
 
+   SECURITY NOTICE: Certain Apache configurations can be vulnerable 
+   to a security exploit allowing arbitrary code execution. Drupal 
+   will attempt to automatically create a .htaccess file in your 
+   "files" directory to protect you. If you already have a .htaccess 
+   file in that location, please add the following line: 
+   SetHandler This_is_a_Drupal_security_line_do_not_remove
+
    You can now launch your browser and point it to your Drupal site.
 
    Create an account and login. The first account will automatically
diff --git a/includes/file.inc b/includes/file.inc
index 3b1b7f1c1e94d3ed35d31c22853a8295325a82b6..e14f390367f2ff8be179b6cf2dec6020d8abc330 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -105,6 +105,17 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) {
     }
   }
 
+  if ((variable_get('file_directory_temp', FILE_DIRECTORY_TEMP) == $directory || variable_get('file_directory_path', 'files') == $directory) && !is_file("$directory/.htaccess")) {
+    if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, 'SetHandler This_is_a_Drupal_security_line_do_not_remove')) {
+      fclose($fp);
+    }
+    else {
+      $message = t("Security warning: Couldn't write .htaccess. Please create a .htaccess file in your %directory directory which contains the following line: <code>SetHandler This_is_a_Drupal_security_line_do_not_remove</code>", array('%directory' => $directory));
+      form_set_error($form_item, $message);
+      watchdog('file system', $message, WATCHDOG_ERROR);
+    }
+  }
+
   return true;
 }