New project NAME disclosed through unsubscribe link

HackerOne report #708155 by ashish_r_padelkar on 2019-10-05, assigned to @ankelly:

Summary

Hello,

This issue is similar to #650574 but this discloses project NAME and you should NOT login to Gitlab.

Steps to reproduce

1. Subscribe to any public project issue/merge request.
2. Let anyone comment on the issue or merge request so that you receive an email.
3. Owner Now makes the project private.
4. Owner Changes the NAME of the project.
5. Now visit the unsubscribe link from email WITHOUT LOGIN into Gitlab. It will show you with button to unsubscribe because you are not logged in but it also discloses the new Name of the project like below

What is the current bug behavior?

unsubscribe issue link discloses new project name if it goes from public to private

What is the expected correct behavior?

New project Name should not be disclosed

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too!

Regards,
Ashish

Impact

Discloses new project NAME when project becomes private.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_2019-10-05_at_16.13.48.png