Backup Plugin: csrf vulnerability resolved

plugins/box/backup/views/backend/index.view.php

@@ -10,6 +10,7 @@ $().ready(function(){$('[name=create_backup]').click(function(){$(this).button('
 <?php
     echo (
         Form::open() .
+        Form::hidden('csrf', Security::token()).
         Form::checkbox('add_storage_folder', null, true, array('disabled' => 'disabled')) . ' ' . __('storage', 'backup') . ' ' . Html::nbsp(2) .
         Form::checkbox('add_public_folder') . ' ' . __('public', 'backup') . ' ' . Html::nbsp(2) .
         Form::checkbox('add_plugins_folder') . ' ' . __('plugins', 'backup') . ' ' . Html::nbsp(2) .         
@@ -32,12 +33,12 @@ $().ready(function(){$('[name=create_backup]').click(function(){$(this).button('
     <tr>
         <td>
             <?php $name = strtotime(str_replace('-', '', basename($backup, '.zip'))); ?>
-            <?php echo Html::anchor(Date::format($name, 'F jS, Y - g:i A'), Option::get('siteurl').'admin/index.php?id=backup&download='.$backup); ?>
+            <?php echo Html::anchor(Date::format($name, 'F jS, Y - g:i A'), Option::get('siteurl').'admin/index.php?id=backup&download='.$backup.'&token='.Security::token()); ?>
     	</td>
         <td><?php echo Number::byteFormat(filesize(ROOT . DS . 'backups' . DS . $backup)); ?></td>
     	<td>
             <?php echo Html::anchor(__('Delete', 'backup'),
-                      'index.php?id=system&sub_id=backup&delete_file='.$backup,
+                      'index.php?id=system&sub_id=backup&delete_file='.$backup.'&token='.Security::token(),
                        array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete backup: :backup', 'backup', array(':backup' => Date::format($name, 'F jS, Y - g:i A')))."')"));
              ?>
     	</td>