Fix CakeRequest::referer(true) returning scheme-relative URLs

Backport of #11503 (and #8795)

lib/Cake/Network/CakeRequest.php

@@ -439,7 +439,7 @@ public function referer($local = false) {
 		if (!empty($ref) && !empty($base)) {
 			if ($local && strpos($ref, $base) === 0) {
 				$ref = substr($ref, strlen($base));
-				if (empty($ref)) {
+				if (!strlen($ref) || strpos($ref, '//') === 0) {
 					$ref = '/';
 				}
 				if ($ref[0] !== '/') {

lib/Cake/Test/Case/Network/CakeRequestTest.php

@@ -739,6 +739,9 @@ public function testReferer() {
 		$result = $request->referer();
 		$this->assertSame($result, 'https://cakephp.org');
 
+		$result = $request->referer(true);
+		$this->assertSame('/', $result);
+
 		$_SERVER['HTTP_REFERER'] = '';
 		$result = $request->referer();
 		$this->assertSame($result, '/');
@@ -751,6 +754,18 @@ public function testReferer() {
 		$result = $request->referer(true);
 		$this->assertSame($result, '/some/path');
 
+		$_SERVER['HTTP_REFERER'] = Configure::read('App.fullBaseUrl') . '///cakephp.org/';
+		$result = $request->referer(true);
+		$this->assertSame('/', $result); // Avoid returning scheme-relative URLs.
+
+		$_SERVER['HTTP_REFERER'] = Configure::read('App.fullBaseUrl') . '/0';
+		$result = $request->referer(true);
+		$this->assertSame('/0', $result);
+
+		$_SERVER['HTTP_REFERER'] = Configure::read('App.fullBaseUrl') . '/';
+		$result = $request->referer(true);
+		$this->assertSame('/', $result);
+
 		$_SERVER['HTTP_REFERER'] = Configure::read('App.fullBaseUrl') . '/some/path';
 		$result = $request->referer(false);
 		$this->assertSame($result, Configure::read('App.fullBaseUrl') . '/some/path');