diff -up java/org/apache/catalina/servlets/DefaultServlet.java.orig java/org/apache/catalina/servlets/DefaultServlet.java
--- java/org/apache/catalina/servlets/DefaultServlet.java.orig	2019-02-12 09:16:19.144563964 -0500
+++ java/org/apache/catalina/servlets/DefaultServlet.java	2019-02-12 09:16:52.516485998 -0500
@@ -1103,6 +1103,10 @@ public class DefaultServlet
             location.append('?');
             location.append(request.getQueryString());
         }
+        // Avoid protocol relative redirects
+        while (location.length() > 1 && location.charAt(1) == '/') {
+            location.deleteCharAt(0);
+        }
         response.sendRedirect(response.encodeRedirectURL(location.toString()));
     }

diff -up webapps/docs/changelog.xml.orig webapps/docs/changelog.xml
--- webapps/docs/changelog.xml.orig	2019-02-12 09:18:01.155325629 -0500
+++ webapps/docs/changelog.xml	2019-02-12 09:18:36.354243382 -0500
@@ -57,6 +57,16 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues do not "pop up" wrt. others).
 -->
+<section name="Tomcat 7.0.76-9 (csutherl)">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        When generating a redirect to a directory in the Default Servlet, avoid
+        generating a protocol relative redirect. (markt)
+      </fix>
+    </changelog>
+  </subsection>
+</section>
 <section name="Tomcat 7.0.76-8 (csutherl)">
   <subsection name="Catalina">
     <changelog>