From 9c932f71ec5a450954cee92ff9450974414ac1d8 Mon Sep 17 00:00:00 2001
From: Matthias Marquardt <marquardt24@gmail.com>
Date: Thu, 7 Sep 2023 17:51:16 +0200
Subject: [PATCH] CookieJar - return 'best-match' and not LIFO (#7577)

Co-authored-by: marq24 <marq24@emac.de>
---
 CHANGES/7577.bugfix     |  1 +
 CONTRIBUTORS.txt        |  1 +
 aiohttp/cookiejar.py    |  3 ++-
 tests/test_cookiejar.py | 30 ++++++++++++++++++++++++++++++
 4 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 CHANGES/7577.bugfix

diff --git a/CHANGES/7577.bugfix b/CHANGES/7577.bugfix
new file mode 100644
index 00000000000..361497fd780
--- /dev/null
+++ b/CHANGES/7577.bugfix
@@ -0,0 +1 @@
+Fix sorting in filter_cookies to use cookie with longest path -- by :user:`marq24`.
diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt
index c35444e3f53..e9724e7dcd0 100644
--- a/CONTRIBUTORS.txt
+++ b/CONTRIBUTORS.txt
@@ -228,6 +228,7 @@ Martin Richard
 Mathias Fröjdman
 Mathieu Dugré
 Matt VanEseltine
+Matthias Marquardt
 Matthieu Hauglustaine
 Matthieu Rigal
 Matvey Tingaev
diff --git a/aiohttp/cookiejar.py b/aiohttp/cookiejar.py
index 6891c0adf97..a35c15f344b 100644
--- a/aiohttp/cookiejar.py
+++ b/aiohttp/cookiejar.py
@@ -256,7 +256,8 @@ def filter_cookies(
             and request_origin not in self._treat_as_secure_origin
         )
 
-        for cookie in self:
+        # Point 2: https://www.rfc-editor.org/rfc/rfc6265.html#section-5.4
+        for cookie in sorted(self, key=lambda c: len(c["path"])):
             name = cookie.key
             domain = cookie["domain"]
 
diff --git a/tests/test_cookiejar.py b/tests/test_cookiejar.py
index 163bedaee0d..755838fbeac 100644
--- a/tests/test_cookiejar.py
+++ b/tests/test_cookiejar.py
@@ -704,6 +704,36 @@ async def make_jar():
         self.assertEqual(len(jar_filtered), 1)
         self.assertEqual(jar_filtered["path-cookie"].value, "one")
 
+    def test_path_filter_diff_folder_same_name_return_best_match_independent_from_put_order(
+        self,
+    ) -> None:
+        async def make_jar():
+            return CookieJar(unsafe=True)
+
+        jar = self.loop.run_until_complete(make_jar())
+        jar.update_cookies(
+            SimpleCookie("path-cookie=one; Domain=pathtest.com; Path=/one; ")
+        )
+        jar.update_cookies(
+            SimpleCookie("path-cookie=zero; Domain=pathtest.com; Path=/; ")
+        )
+        jar.update_cookies(
+            SimpleCookie("path-cookie=two; Domain=pathtest.com; Path=/second; ")
+        )
+        self.assertEqual(len(jar), 3)
+
+        jar_filtered = jar.filter_cookies(URL("http://pathtest.com/"))
+        self.assertEqual(len(jar_filtered), 1)
+        self.assertEqual(jar_filtered["path-cookie"].value, "zero")
+
+        jar_filtered = jar.filter_cookies(URL("http://pathtest.com/second"))
+        self.assertEqual(len(jar_filtered), 1)
+        self.assertEqual(jar_filtered["path-cookie"].value, "two")
+
+        jar_filtered = jar.filter_cookies(URL("http://pathtest.com/one"))
+        self.assertEqual(len(jar_filtered), 1)
+        self.assertEqual(jar_filtered["path-cookie"].value, "one")
+
 
 async def test_dummy_cookie_jar() -> None:
     cookie = SimpleCookie("foo=bar; Domain=example.com;")