Fix Request::referer(true) returning scheme-relative URLs

src/Http/ServerRequest.php

@@ -576,7 +576,7 @@ class ServerRequest implements ArrayAccess, ServerRequestInterface
         if (!empty($ref) && !empty($base)) {
             if ($local && strpos($ref, $base) === 0) {
                 $ref = substr($ref, strlen($base));
-                if (!strlen($ref)) {
+                if (!strlen($ref) || strpos($ref, '//') === 0) {
                     $ref = '/';
                 }
                 if ($ref[0] !== '/') {

tests/TestCase/Http/ServerRequestTest.php

@@ -723,6 +723,9 @@ class ServerRequestTest extends TestCase
         $result = $request->referer();
         $this->assertSame('http://cakephp.org', $result);
 
+        $result = $request->referer(true);
+        $this->assertSame('/', $result);
+
         $request->env('HTTP_REFERER', '');
         $result = $request->referer();
         $this->assertSame('/', $result);
@@ -731,6 +734,10 @@ class ServerRequestTest extends TestCase
         $result = $request->referer(true);
         $this->assertSame('/some/path', $result);
 
+        $request->env('HTTP_REFERER', Configure::read('App.fullBaseUrl') . '///cakephp.org/');
+        $result = $request->referer(true);
+        $this->assertSame('/', $result); // Avoid returning scheme-relative URLs.
+
         $request->env('HTTP_REFERER', Configure::read('App.fullBaseUrl') . '/0');
         $result = $request->referer(true);
         $this->assertSame('/0', $result);