Don't use FORWARDED_HOST when getting referer values.

HTTP_X_FORWARDED_HOST is supposed to be used by proxies to indicate the
original HTTP_HOST value. It has nothing to do with referer values.

Since the HTTP_X_FORWARDED_HOST is intended to replace the HOST header
in proxied setups, add a trustProxy parameter to host() and default it
to false. This maintains existing behavior and allows people to access
the proxied value.

Fixes #2537

lib/Cake/Network/CakeRequest.php

@@ -417,10 +417,6 @@ public function clientIp($safe = true) {
  */
 	public function referer($local = false) {
 		$ref = env('HTTP_REFERER');
-		$forwarded = env('HTTP_X_FORWARDED_HOST');
-		if ($forwarded) {
-			$ref = $forwarded;
-		}
 
 		$base = Configure::read('App.fullBaseUrl') . $this->webroot;
 		if (!empty($ref) && !empty($base)) {
@@ -667,9 +663,13 @@ public function method() {
 /**
  * Get the host that the request was handled on.
  *
+ * @param boolean $trustProxy Whether or not to trust the proxy host.
  * @return string
  */
-	public function host() {
+	public function host($trustProxy = false) {
+		if ($trustProxy) {
+			return env('HTTP_X_FORWARDED_HOST');
+		}
 		return env('HTTP_HOST');
 	}
 

lib/Cake/Test/Case/Network/CakeRequestTest.php

@@ -698,10 +698,6 @@ public function testReferer() {
 		$_SERVER['HTTP_REFERER'] = Configure::read('App.fullBaseUrl') . '/recipes/add';
 		$result = $request->referer(true);
 		$this->assertSame($result, '/recipes/add');
-
-		$_SERVER['HTTP_X_FORWARDED_HOST'] = 'cakephp.org';
-		$result = $request->referer();
-		$this->assertSame($result, 'cakephp.org');
 	}
 
 /**
@@ -804,9 +800,11 @@ public function testMethod() {
  */
 	public function testHost() {
 		$_SERVER['HTTP_HOST'] = 'localhost';
+		$_SERVER['HTTP_X_FORWARDED_HOST'] = 'cakephp.org';
 		$request = new CakeRequest('some/path');
 
 		$this->assertEquals('localhost', $request->host());
+		$this->assertEquals('cakephp.org', $request->host(true));
 	}
 
 /**