diff -up java/org/apache/catalina/servlets/DefaultServlet.java.orig java/org/apache/catalina/servlets/DefaultServlet.java

--- java/org/apache/catalina/servlets/DefaultServlet.java.orig	2019-02-12 09:16:19.144563964 -0500

+++ java/org/apache/catalina/servlets/DefaultServlet.java	2019-02-12 09:16:52.516485998 -0500

@@ -1103,6 +1103,10 @@ public class DefaultServlet

             location.append('?');

             location.append(request.getQueryString());

         }

+        // Avoid protocol relative redirects

+        while (location.length() > 1 && location.charAt(1) == '/') {

+            location.deleteCharAt(0);

+        }

         response.sendRedirect(response.encodeRedirectURL(location.toString()));

     }

diff -up webapps/docs/changelog.xml.orig webapps/docs/changelog.xml

--- webapps/docs/changelog.xml.orig	2019-02-12 09:18:01.155325629 -0500

+++ webapps/docs/changelog.xml	2019-02-12 09:18:36.354243382 -0500

@@ -57,6 +57,16 @@

   They eventually become mixed with the numbered issues. (I.e., numbered

   issues do not "pop up" wrt. others).

 -->

+<section name="Tomcat 7.0.76-9 (csutherl)">

+  <subsection name="Catalina">

+    <changelog>

+      <fix>

+        When generating a redirect to a directory in the Default Servlet, avoid

+        generating a protocol relative redirect. (markt)

+      </fix>

+    </changelog>

+  </subsection>

+</section>

 <section name="Tomcat 7.0.76-8 (csutherl)">

   <subsection name="Catalina">

     <changelog>