Allow Serialize, Unserialize and mt_rand (Undo PR-115 changes)

[roerlemans]

Why can't we use serialize and unserialize? Magento1 core is full with these functions. Would be better if we are allowed to use those 2 functions.

Samen with mt_rand, random_int isn't a good alternative for that. It's a PHP7 function.

PR-115: https://github.com/magento/marketplace-eqp/pull/115/files

[ravmenon]

@ronn0 For serialize and unserialize, this was made severity 10 for security reasons.

M1 core may continue to have it for legacy reasons, but it should not prevent extensions to use safer alternatives.

However, in some case, we have made exceptions (for e.g. an extension using a REST api which may require some params to be signed by md5, and there are no updates to these apis' yet), so if you file a support ticket at https://marketplacesupport.magento.com/hc/en-us with the reasons on why the extension still needs to use serialize/unserialize, we can review it and approve it as needed.

Re mt_rand: As per man page, there is a php5x version of random_int here: https://github.com/paragonie/random_compat.

In general for both M1 and M2 core, it may be using deprecated functions for legacy reasons, but newer modules (mostly relevant for M2) are expected to follow current best practices, including 3rd party extensions.