SSRF via unvalidated WWW-Authenticate realm in docker_pull module

An attacker in a man-in-the-middle position between bbot and a Docker registry can modify the `WWW-Authenticate` response header to point the `realm` parameter to an attacker-controlled endpoint (e.g., `http://169.254.169.254/latest/meta-data`). The original code blindly extracted the realm value and used it as the authentication endpoint, causing bbot to send its authentication token to the attacker's server. The patch adds TLD-based validation to prevent this redirection.

The vulnerability resides in `bbot/modules/docker_pull.py` in the `docker_api_request` method. The original code naively split the `WWW-Authenticate` header on `realm="` and `"` without any validation, allowing an attacker-in-the-middle to inject an arbitrary realm URL. The patch introduces `_parse_www_authenticate` and `_validate_realm` to properly parse the header and reject realms whose TLD does not match the registry's TLD.

The patch replaces the fragile string-splitting logic with a dedicated `_parse_www_authenticate` static method that correctly handles whitespace, field ordering, and missing fields. It then adds `_validate_realm`, which extracts the registered domain (TLD+1) from both the original registry URL and the realm URL using `split_domain`, and rejects the authentication flow if the domains do not match. This prevents an attacker from redirecting authentication to an arbitrary host.