From 0ee050c555724f5641656db5b288faa2ec93b76b Mon Sep 17 00:00:00 2001
From: billz <billzimmerman@gmail.com>
Date: Thu, 5 Oct 2023 09:37:44 +0200
Subject: [PATCH] Initial commit

---
 ajax/adblock/update_blocklist.php       |   1 -
 ajax/bandwidth/get_bandwidth.php        |   6 +-
 ajax/bandwidth/get_bandwidth_hourly.php |   4 +-
 ajax/networking/do_sys_reset.php        |  49 +++++-----
 ajax/networking/get_all_interfaces.php  |   3 +-
 ajax/networking/get_channel.php         |   1 -
 ajax/networking/get_frequencies.php     |   5 +-
 ajax/networking/get_ip_summary.php      |   5 +-
 ajax/networking/get_netcfg.php          |   4 +-
 ajax/networking/wifi_stations.php       |  14 ++-
 ajax/openvpn/activate_ovpncfg.php       |   4 +-
 ajax/openvpn/del_ovpncfg.php            |   4 +-
 includes/adblock.php                    |   2 +-
 includes/autoload.php                   |   2 +-
 includes/csrf.php                       |  12 +--
 includes/dashboard.php                  |   4 +-
 includes/functions.php                  |  73 ---------------
 index.php                               |   8 +-
 src/RaspAP/Tokens/CSRFTokenizer.php     | 113 ++++++++++++++++++++++++
 templates/adblock.php                   |   3 +-
 templates/configure_client.php          |   1 -
 templates/dashboard.php                 |   5 +-
 templates/dhcp.php                      |   1 -
 templates/hostapd.php                   |   2 -
 templates/openvpn.php                   |   1 -
 templates/system.php                    |   1 -
 26 files changed, 180 insertions(+), 148 deletions(-)
 create mode 100644 src/RaspAP/Tokens/CSRFTokenizer.php

diff --git a/ajax/adblock/update_blocklist.php b/ajax/adblock/update_blocklist.php
index 86f326b4..7ac7d2e5 100644
--- a/ajax/adblock/update_blocklist.php
+++ b/ajax/adblock/update_blocklist.php
@@ -1,6 +1,5 @@
 <?php
 
-require '../../includes/csrf.php';
 require_once '../../includes/config.php';
 
 if (isset($_POST['blocklist_id'])) {
diff --git a/ajax/bandwidth/get_bandwidth.php b/ajax/bandwidth/get_bandwidth.php
index 70e9b882..691fbcec 100644
--- a/ajax/bandwidth/get_bandwidth.php
+++ b/ajax/bandwidth/get_bandwidth.php
@@ -1,8 +1,7 @@
 <?php
 
-require '../../includes/csrf.php';
-
-require_once '../../includes/config.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 
 $interface = filter_input(INPUT_GET, 'inet', FILTER_SANITIZE_SPECIAL_CHARS);
 if (empty($interface)) {
@@ -82,4 +81,3 @@ for ($i = count($jsonData) - 1; $i >= 0; --$i) {
 
 echo ' ]';
 
-
diff --git a/ajax/bandwidth/get_bandwidth_hourly.php b/ajax/bandwidth/get_bandwidth_hourly.php
index 5e2f93f1..bc93cbf1 100644
--- a/ajax/bandwidth/get_bandwidth_hourly.php
+++ b/ajax/bandwidth/get_bandwidth_hourly.php
@@ -1,6 +1,6 @@
 <?php 
-
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 
 if (filter_input(INPUT_GET, 'tu') == 'h') {
 
diff --git a/ajax/networking/do_sys_reset.php b/ajax/networking/do_sys_reset.php
index 05f36615..8f008d49 100644
--- a/ajax/networking/do_sys_reset.php
+++ b/ajax/networking/do_sys_reset.php
@@ -1,35 +1,28 @@
 <?php
 
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 require_once '../../includes/config.php';
-require_once '../../includes/session.php';
-require_once '../../includes/functions.php';
 
-if (isset($_POST['csrf_token'])) {
-    if (csrfValidateRequest() && !CSRFValidate()) {
-        handleInvalidCSRFToken();
-    }
-    $return = 0;
-    $path = "../../config";
-    $configs = array(
-        array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
-        array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
-        array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
-        array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
-    );
-    
-    foreach ($configs as $config) {
-        try {
-            $tmp = file_get_contents($config["src"]);
-            file_put_contents($config["tmp"], $tmp);
-            system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
-        } catch (Exception $e) {
-            $return = $e->getCode();
-        }
-    }
-    $jsonData = ['return'=>$return];
-    echo json_encode($jsonData);
+$return = 0;
+$path = "../../config";
+$configs = array(
+    array("src" => $path .'/hostapd.conf', "tmp" => "/tmp/hostapddata", "dest" => RASPI_HOSTAPD_CONFIG),
+    array("src" => $path .'/dhcpcd.conf', "tmp" => "/tmp/dhcpddata", "dest" => RASPI_DHCPCD_CONFIG),
+    array("src" => $path .'/090_wlan0.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'wlan0.conf'),
+    array("src" => $path .'/090_raspap.conf', "tmp" => "/tmp/dnsmasqdata", "dest" => RASPI_DNSMASQ_PREFIX.'raspap.conf'),
+);
 
-} else {
-    handleInvalidCSRFToken();
+foreach ($configs as $config) {
+    try {
+        $tmp = file_get_contents($config["src"]);
+        file_put_contents($config["tmp"], $tmp);
+        system("sudo cp ".$config["tmp"]. " ".$config["dest"]);
+    } catch (Exception $e) {
+        $return = $e->getCode();
+    }
 }
+$jsonData = ['return'=>$return];
+echo json_encode($jsonData);
+
 
diff --git a/ajax/networking/get_all_interfaces.php b/ajax/networking/get_all_interfaces.php
index b4e18572..f035c24f 100644
--- a/ajax/networking/get_all_interfaces.php
+++ b/ajax/networking/get_all_interfaces.php
@@ -1,6 +1,7 @@
 <?php
 
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 
 exec("ls /sys/class/net | grep -v lo", $interfaces);
 echo json_encode($interfaces);
diff --git a/ajax/networking/get_channel.php b/ajax/networking/get_channel.php
index 89d59ca2..e1581284 100644
--- a/ajax/networking/get_channel.php
+++ b/ajax/networking/get_channel.php
@@ -1,6 +1,5 @@
 <?php
 
-require '../../includes/csrf.php';
 require_once '../../includes/config.php';
 
 exec('cat '. RASPI_HOSTAPD_CONFIG, $hostapdconfig);
diff --git a/ajax/networking/get_frequencies.php b/ajax/networking/get_frequencies.php
index 28d5ecd2..17ee4858 100644
--- a/ajax/networking/get_frequencies.php
+++ b/ajax/networking/get_frequencies.php
@@ -1,8 +1,9 @@
 <?php
 
-require '../../includes/csrf.php';
-require_once '../../includes/config.php';
+//require_once '../../includes/config.php';
 require_once '../../includes/locale.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 
 if (isset($_POST['interface'])) {
 
diff --git a/ajax/networking/get_ip_summary.php b/ajax/networking/get_ip_summary.php
index bee214de..e028a370 100644
--- a/ajax/networking/get_ip_summary.php
+++ b/ajax/networking/get_ip_summary.php
@@ -1,8 +1,7 @@
 <?php
 
-require '../../includes/csrf.php';
-
-require_once '../../includes/functions.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 
 if (isset($_POST['interface'])) {
     $int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
diff --git a/ajax/networking/get_netcfg.php b/ajax/networking/get_netcfg.php
index aee8e702..154f3efe 100644
--- a/ajax/networking/get_netcfg.php
+++ b/ajax/networking/get_netcfg.php
@@ -1,7 +1,9 @@
 <?php
 
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 require_once '../../includes/config.php';
+require_once '../../includes/functions.php';
 
 $interface = $_GET['iface'];
 
diff --git a/ajax/networking/wifi_stations.php b/ajax/networking/wifi_stations.php
index ecc9c098..0b18200b 100644
--- a/ajax/networking/wifi_stations.php
+++ b/ajax/networking/wifi_stations.php
@@ -1,9 +1,8 @@
 <?php
 
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 require_once '../../includes/config.php';
-require_once '../../includes/defaults.php';
-require_once '../../includes/functions.php';
 require_once '../../includes/wifi_functions.php';
 
 $networks = [];
@@ -20,4 +19,11 @@ $connected = array_filter($networks, function($n) { return $n['connected']; } );
 $known     = array_filter($networks, function($n) { return !$n['connected'] && $n['configured']; } );
 $nearby    = array_filter($networks, function($n) { return !$n['configured']; } );
 
-echo renderTemplate('wifi_stations', compact('networks', 'connected', 'known', 'nearby'), true);
+echo renderTemplate(
+    "wifi_stations", compact(
+        "networks",
+        "connected",
+        "known",
+        "nearby"
+    ),
+true);
diff --git a/ajax/openvpn/activate_ovpncfg.php b/ajax/openvpn/activate_ovpncfg.php
index 06cff8b9..9208cd8c 100644
--- a/ajax/openvpn/activate_ovpncfg.php
+++ b/ajax/openvpn/activate_ovpncfg.php
@@ -1,8 +1,8 @@
 <?php
 
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 require_once '../../includes/config.php';
-require_once '../../includes/functions.php';
 
 if (isset($_POST['cfg_id'])) {
     $ovpncfg_id = escapeshellcmd($_POST['cfg_id']);
diff --git a/ajax/openvpn/del_ovpncfg.php b/ajax/openvpn/del_ovpncfg.php
index 26e0a6c0..6ddb30a1 100644
--- a/ajax/openvpn/del_ovpncfg.php
+++ b/ajax/openvpn/del_ovpncfg.php
@@ -1,8 +1,8 @@
 <?php
 
-require '../../includes/csrf.php';
+require_once '../../includes/autoload.php';
+require_once '../../includes/csrf.php';
 require_once '../../includes/config.php';
-require_once '../../includes/functions.php';
 
 if (isset($_POST['cfg_id'])) {
     $ovpncfg_id = escapeshellcmd($_POST['cfg_id']);
diff --git a/includes/adblock.php b/includes/adblock.php
index 021f4d2c..931d8a0e 100755
--- a/includes/adblock.php
+++ b/includes/adblock.php
@@ -1,6 +1,6 @@
 <?php
 
-require_once 'config.php';
+require_once 'includes/config.php';
 
 /**
  * Manages ad blocking (dnsmasq) configuration
diff --git a/includes/autoload.php b/includes/autoload.php
index d39bd0c9..c09fe290 100755
--- a/includes/autoload.php
+++ b/includes/autoload.php
@@ -13,7 +13,7 @@ spl_autoload_register(function ($class) {
     $prefix = '';
 
     // base directory for the namespace prefix
-    $base_dir = 'src/';
+    $base_dir = $_SERVER['DOCUMENT_ROOT'] .'/src/';
 
     // normalize the base directory with a trailing separator
     $base_dir = rtrim($base_dir, DIRECTORY_SEPARATOR) . '/';
diff --git a/includes/csrf.php b/includes/csrf.php
index bca935df..94e22f00 100755
--- a/includes/csrf.php
+++ b/includes/csrf.php
@@ -1,8 +1,10 @@
 <?php
 
-require_once 'functions.php';
-require_once 'session.php';
-
-if (csrfValidateRequest() && !CSRFValidate()) {
-    handleInvalidCSRFToken();
+if ( class_exists('\RaspAP\Tokens\CSRFTokenizer')) {
+    $csrfToken = new \RaspAP\Tokens\CSRFTokenizer;
+    $csrfToken->ensureCSRFSessionToken();
+} else {
+    die('class failed to load!');
 }
+
+
diff --git a/includes/dashboard.php b/includes/dashboard.php
index 724a0175..50114aba 100755
--- a/includes/dashboard.php
+++ b/includes/dashboard.php
@@ -9,8 +9,10 @@ require_once 'includes/functions.php';
  */
 function DisplayDashboard(&$extraFooterScripts)
 {
-    getWifiInterface();
     $status = new \RaspAP\Messages\StatusMessage;
+    //$csrfToken = new \RaspAP\Tokens\CSRFTokenizer;
+
+    getWifiInterface();
     // Need this check interface name for proper shell execution.
     if (!preg_match('/^([a-zA-Z0-9]+)$/', $_SESSION['wifi_client_interface'])) {
         $status->addMessage(_('Interface name invalid.'), 'danger');
diff --git a/includes/functions.php b/includes/functions.php
index 24a42f15..8bfc5bdd 100755
--- a/includes/functions.php
+++ b/includes/functions.php
@@ -285,79 +285,6 @@ function filter_comments($var)
     return $var[0] != '#';
 }
 
-/**
- * Saves a CSRF token in the session
- */
-function ensureCSRFSessionToken()
-{
-    if (empty($_SESSION['csrf_token'])) {
-        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
-    }
-}
-
-/**
- * Add CSRF Token to form
- */
-function CSRFTokenFieldTag()
-{
-    $token = htmlspecialchars($_SESSION['csrf_token']);
-    return '<input type="hidden" name="csrf_token" value="' . $token . '">';
-}
-
-/**
- * Retuns a CSRF meta tag (for use with xhr, for example)
- */
-function CSRFMetaTag()
-{
-    $token = htmlspecialchars($_SESSION['csrf_token']);
-    return '<meta name="csrf_token" content="' . $token . '">';
-}
-
-/**
- * Validate CSRF Token
- */
-function CSRFValidate()
-{
-    if(isset($_POST['csrf_token'])) {
-        $post_token   = $_POST['csrf_token'];
-        $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'];
-
-        if (empty($post_token) && empty($header_token)) {
-            return false;
-        }
-        $request_token = $post_token;
-        if (empty($post_token)) {
-            $request_token = $header_token;
-        }
-        if (hash_equals($_SESSION['csrf_token'], $request_token)) {
-            return true;
-        } else {
-            error_log('CSRF violation');
-            return false;
-        }
-    }
-}
-
-/**
- * Should the request be CSRF-validated?
- */
-function csrfValidateRequest()
-{
-    $request_method = strtolower($_SERVER['REQUEST_METHOD']);
-    return in_array($request_method, [ "post", "put", "patch", "delete" ]);
-}
-
-/**
- * Handle invalid CSRF
- */
-function handleInvalidCSRFToken()
-{
-    header('HTTP/1.1 500 Internal Server Error');
-    header('Content-Type: text/plain');
-    echo 'Invalid CSRF token';
-    exit;
-}
-
 /**
  * Test whether array is associative
  */
diff --git a/index.php b/index.php
index 83e2916d..bbd86843 100755
--- a/index.php
+++ b/index.php
@@ -23,11 +23,9 @@
  * as you leave these references intact in the header comments of your source files.
  */
 
-require 'includes/csrf.php';
-ensureCSRFSessionToken();
-
-require_once 'includes/config.php';
 require_once 'includes/autoload.php';
+require 'includes/csrf.php';
+require_once 'includes/config.php';
 require_once 'includes/defaults.php';
 require_once 'includes/locale.php';
 require_once 'includes/functions.php';
@@ -53,7 +51,7 @@ initializeApp();
 <html lang="en">
   <head>
     <meta charset="utf-8">
-    <?php echo CSRFMetaTag() ?>
+    <?php echo $csrfToken->CSRFMetaTag(); ?>
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <meta name="description" content="">
diff --git a/src/RaspAP/Tokens/CSRFTokenizer.php b/src/RaspAP/Tokens/CSRFTokenizer.php
new file mode 100644
index 00000000..211a029c
--- /dev/null
+++ b/src/RaspAP/Tokens/CSRFTokenizer.php
@@ -0,0 +1,113 @@
+<?php
+
+/**
+ * CSRF tokenizer class
+ *
+ * @description CSRF tokenizer class for RaspAP
+ * @author      Bill Zimmerman <billzimmerman@gmail.com>
+ * @author      Martin Glaß <mail@glasz.org>
+ * @license     https://github.com/raspap/raspap-webgui/blob/master/LICENSE
+ */
+
+declare(strict_types=1);
+
+namespace RaspAP\Tokens;
+
+class CSRFTokenizer
+{
+
+    // Constructor
+    public function __construct()
+    {
+        $this->ensureSession();
+        if ($this->csrfValidateRequest() && !$this->CSRFValidate()) {
+            $this->handleInvalidCSRFToken();
+        }
+    }
+
+    /**
+     * Saves a CSRF token in the session
+     */
+    public function ensureCSRFSessionToken()
+    {
+        if (empty($_SESSION['csrf_token'])) {
+            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+        }
+    }
+
+    /**
+     * Add CSRF Token to form
+     */
+    public function CSRFTokenFieldTag()
+    {
+        $token = htmlspecialchars($_SESSION['csrf_token']);
+        return '<input type="hidden" name="csrf_token" value="' . $token . '">';
+    }
+
+    /**
+     * Retuns a CSRF meta tag (for use with xhr, for example)
+     */
+    public function CSRFMetaTag()
+    {
+        $token = htmlspecialchars($_SESSION['csrf_token']);
+        return '<meta name="csrf_token" content="' . $token . '">';
+    }
+
+    /**
+     * Validates a CSRF Token
+     */
+    public function CSRFValidate()
+    {
+        if(isset($_POST['csrf_token'])) {
+            $post_token   = $_POST['csrf_token'];
+            $header_token = $_SERVER['HTTP_X_CSRF_TOKEN'];
+
+            if (empty($post_token) && empty($header_token)) {
+                return false;
+            }
+            $request_token = $post_token;
+            if (empty($post_token)) {
+                $request_token = $header_token;
+            }
+            if (hash_equals($_SESSION['csrf_token'], $request_token)) {
+                return true;
+            } else {
+                error_log('CSRF violation');
+                return false;
+            }
+        }
+    }
+
+    /**
+     * Should the request be CSRF-validated?
+     */
+    public function csrfValidateRequest()
+    {
+        $request_method = strtolower($_SERVER['REQUEST_METHOD']);
+        return in_array($request_method, [ "post", "put", "patch", "delete" ]);
+    }
+
+    /**
+     * Handle invalid CSRF
+     */
+    public function handleInvalidCSRFToken()
+    {
+        if (function_exists('http_response_code')) { 
+            http_response_code(500);
+            echo 'Invalid CSRF token';
+        } else {
+            header('HTTP/1.1 500 Internal Server Error');
+            header('Content-Type: text/plain');
+            echo 'Invalid CSRF token';
+        }
+        exit;
+    }
+    
+    protected function ensureSession()
+    {
+        if (session_status() == PHP_SESSION_NONE) {
+            session_start();
+        }
+    } 
+}
+
diff --git a/templates/adblock.php b/templates/adblock.php
index 6493100b..56f0c1c8 100755
--- a/templates/adblock.php
+++ b/templates/adblock.php
@@ -28,7 +28,6 @@
         <div class="card-body">
         <?php $status->showMessages(); ?>
           <form role="form" action="adblock_conf" enctype="multipart/form-data" method="POST">
-            <?php echo CSRFTokenFieldTag() ?>
             <!-- Nav tabs -->
             <ul class="nav nav-tabs">
                 <li class="nav-item"><a class="nav-link active" id="blocklisttab" href="#adblocklistsettings" data-toggle="tab"><?php echo _("Blocklist settings"); ?></a></li>
@@ -50,5 +49,5 @@
         <div class="card-footer"><?php echo _("Information provided by adblock"); ?></div>
       </div><!-- /.card -->
     </div><!-- /.col-lg-12 -->
-  </div><!-- /.row -->
+  </div><!-- /.row - $csrfToken->
 
diff --git a/templates/configure_client.php b/templates/configure_client.php
index aeca17bd..459ea14e 100755
--- a/templates/configure_client.php
+++ b/templates/configure_client.php
@@ -27,7 +27,6 @@
         <div class="row">
           <div class="col">
             <form method="POST" action="wpa_conf" name="wpa_conf_form">
-              <?php echo CSRFTokenFieldTag() ?>
               <input type="hidden" name="client_settings" ?>
               <div class="js-wifi-stations loading-spinner"></div>
             </form>
diff --git a/templates/dashboard.php b/templates/dashboard.php
index 3b727517..3d164483 100755
--- a/templates/dashboard.php
+++ b/templates/dashboard.php
@@ -123,14 +123,13 @@
         <div class="col-lg-12 mt-3">
           <div class="row">
             <form action="wlan0_info" method="POST">
-                <?php echo CSRFTokenFieldTag() ?>
                 <?php if (!RASPI_MONITOR_ENABLED) : ?>
                     <?php if (!$wlan0up) : ?>
                     <input type="submit" class="btn btn-success" value="<?php echo _("Start").' '.$clientInterface ?>" name="ifup_wlan0" />
                     <?php else : ?>
                     <input type="submit" class="btn btn-warning" value="<?php echo _("Stop").' '.$clientInterface ?>"  name="ifdown_wlan0" />
-                    <?php endif ?>
-                <?php endif ?>
+                    <?php endif; ?>
+                <?php endif; ?>
               <button type="button" onClick="window.location.reload();" class="btn btn-outline btn-primary"><i class="fas fa-sync-alt"></i> <?php echo _("Refresh") ?></a>
             </form>
           </div>
diff --git a/templates/dhcp.php b/templates/dhcp.php
index 6fe48917..94841c64 100755
--- a/templates/dhcp.php
+++ b/templates/dhcp.php
@@ -30,7 +30,6 @@
       <div class="card-body">
         <?php $status->showMessages(); ?>
         <form method="POST" action="dhcpd_conf" class="js-dhcp-settings-form">
-          <?php echo CSRFTokenFieldTag() ?>
 
           <!-- Nav tabs -->
           <ul class="nav nav-tabs mb-3">
diff --git a/templates/hostapd.php b/templates/hostapd.php
index b6f2fce7..b0e852fb 100755
--- a/templates/hostapd.php
+++ b/templates/hostapd.php
@@ -50,8 +50,6 @@
       <div class="card-body">
         <?php $status->showMessages(); ?>
         <form role="form" action="hostapd_conf" method="POST">
-          <?php echo CSRFTokenFieldTag() ?>
-
           <!-- Nav tabs -->
           <ul class="nav nav-tabs">
             <li class="nav-item"><a class="nav-link active" id="basictab" href="#basic" aria-controls="basic" data-toggle="tab"><?php echo _("Basic"); ?></a></li>
diff --git a/templates/openvpn.php b/templates/openvpn.php
index 4e0adaba..a5b791b8 100755
--- a/templates/openvpn.php
+++ b/templates/openvpn.php
@@ -29,7 +29,6 @@
         <div class="card-body">
         <?php $status->showMessages(); ?>
           <form role="form" action="openvpn_conf" enctype="multipart/form-data" method="POST">
-            <?php echo CSRFTokenFieldTag() ?>
             <!-- Nav tabs -->
             <ul class="nav nav-tabs">
                 <li class="nav-item"><a class="nav-link active" id="clienttab" href="#openvpnclient" data-toggle="tab"><?php echo _("Client settings"); ?></a></li>
diff --git a/templates/system.php b/templates/system.php
index 65a3834e..4601af1c 100755
--- a/templates/system.php
+++ b/templates/system.php
@@ -11,7 +11,6 @@
       <div class="card-body">
         <?php $status->showMessages(); ?>
         <form role="form" action="system_info" method="POST">
-        <?php echo CSRFTokenFieldTag() ?>
         <ul class="nav nav-tabs" role="tablist">
           <li role="presentation" class="nav-item"><a class="nav-link active" id="basictab" href="#basic" aria-controls="basic" role="tab" data-toggle="tab"><?php echo _("Basic"); ?></a></li>
           <li role="presentation" class="nav-item"><a class="nav-link" id="languagetab" href="#language" aria-controls="language" role="tab" data-toggle="tab"><?php echo _("Language"); ?></a></li>