I don't think this can be fixed to match < 2.0 behaviour. A local source or target is being honoured correctly, it's just (probably) not what the user intended. It doesn't "replicate to backdoor ports", it's reading/writing directly, not using http.
"foo" in the :5986/_replicator db works as expected and it's not entirely unreasonable that "foo" in the :5984/_replicator means exactly the same thing.
I don't think it's appropriate to prohibit local source/target unless we will do so for the node-local :5986/_replicator database as well as the clustered :5984/_replicator database.
The hack in chttpd.erl is actually quite bad. It uses http (not https, even if available) and uses the local nodes public IP address, so is not fault-tolerant.
Still, the behaviour between _replicate and _replicator is inconsistent. This has been true in the bigcouch codebase since forever so it's arguably not release blocking, but now is the time to decide what behaviour we desire. To that end, these are all the options I think we can actually deliver in a short timeframe;
1) remove fix_uri/possibly_hack from _replicate. This means "foo" always means a local db (and therefore unsharded and unreachable by default).
2) prohibit local source/target in all cases (_replicate will return a 400 Bad Request and _replicator will reject a document update that tries to insert it).