Large and iterable cache data is always pickled and stored in the cache

backend, and was deserialized with no integrity check. Given the

sensitive nature of pickling, we don't want to unpickle anything that we

don't trust.
Cached pickle data is now authenticated with an HMAC-SHA256 keyed on

the cache encryption key (which falls back to SECRET_KEY), independent

of whether encryption is enabled. The MAC is computed over the

concatenated pickled items and stored alongside the chunk count, in the

form "<count>:<mac>". On read, the assembled data is verified eagerly,

before any of it reaches pickle.load(); a mismatch is treated as a cache

miss and the value is recomputed.
Old (pre-7.0) entries with a bare count and forged/tampered data both

fail this check and are recomputed rather than deserialized.

Ran unit tests.