TcfEuV2CoreSegment decoder incorrectly accepts corrupt PublisherRestrictions

[jamescooper-blis]

Attached is a real-world example of a TCF string where the PublisherRestrictions field has been corrupted due to a bug in the CMP.
The issue is the your reference decoder accepts this string.

• There is logic in the PublisherRestrictions decoder AbstractEncodableBitStringDataType::getHardFailIfMissing() that allows this field to be missing, however the field is not missing - it is corrupt.

• This means that anyone who uses this decoder, or has their own direct port of it, may be unknowingly ignoring the PublisherRestrictions field.

• Also, this logic only works because PublisherRestrictions is the last data field.

Our custom decoder rejects this string and this has led to confusion as the string is accepted by the popular online test decoders (except for https://iabtcf.com/#/decode, which also rejects this string) .

Possible Solution:

• The decoder needs to distinguish between 'missing' and 'corrupt'.

Example string:

CQLvHAAQLvHAAAKA4DENBaFsAP_gAEPgAAwIKxtX_G9_bXlr8X736ftkeY1f99h77sQxBhZBk-4FzLvW_JwX32E7NA36tqYKmRIAu3TBIQNlHJDURVCgaogVrTDMaEyUoTtKJ6BkiFMRY2dYCFxvm4tjeQCY5vr991d52R-tbdrs3dzyy4hnv3a9_-S1WJCdA5-tDfv9bROb89IO5_x8v4v4_N7pE2_eT1l_tWvp7D9-ctv_9XX99_fbff9Pn_-uB_-_X__f_H37grAAQYCABAEAQICAAAAAQAAEAAEABAAAAAAACgAABEEAAEDAAAQAIAQAAABAABAAAAIAAAAAgACAAAAAEAgAAAACgADAAAAAAAYAAAMAEgIAAAAAQACmABAIFAAEJAFAEACEAEEAIQAABAEACAEABRwBAACBAoAAAQAAEAAAFgIDgAQEpAgACIgEAAAIAEAggAAEQjYACCAASCqqBAiiCAQLBoQFPaQAkgBACDgmQAgABQAHAAsA

The line of code in question is:

iabgpp-java/iabgpp-encoder/src/main/java/com/iab/gpp/encoder/segment/TcfEuV2CoreSegment.java

Line 70 in d3d5017

fields.put(TcfEuV2Field.PUBLISHER_RESTRICTIONS, new EncodableArrayOfFixedIntegerRanges(6, 2, new ArrayList<>(), false));

Passing false to the EncodableArrayOfFixedIntegerRanges constructor allows it to accept corrupt data.