To ensure tests don't step on each others toes, make sure we back up
the static properties of the global App class before running tests that
modify any of these properties.
This should fix issue #1828.
This patch makes it explicit that we store arrays in the config as json
encoded arrays, while we allow both json encoded and PHP serialized
arrays to be deserialized correctly. Unless it's a brand new install,
the existing data in the database will be PHP serialized.
I've also added a hardening measure in case we fall back to PHP
unserialize, making sure we're not vulnerable to a PHP Object Injection
attack. This means that deserializing arrays containing PHP objects will
no longer work, but afaict we never do that anyways, so I don't think
that should break anything.
