Comment 6 for bug 2048103

Looking at horizon, I think it passes the 'description' to glance as an additional image property:

https://opendev.org/openstack/horizon/src/commit/c528bfe84f25eef17d808d635ff17cf95e7a8136/openstack_dashboard/api/glance.py#L410-L426

@lujiefsi: have you tried to do this directly to the Image API without involving horizon?

Glance has a system-wide 'image_property_quota' setting (default: 128) that limits the number of properties that can be added to a particular image. Additionally, there is a per-user 'image_count_total' that controls how many images can be held by a project. So there are some levers in place to control how much garbage someone can stuff into the DB. Since an unauthorized user can't create/update and image, and a user must be in some project, I don't know how much of a DOS you can do with this vector (though the default image property quota may be a bit high).