Typo in `_istoken` causes valid HTTP requests to be rejected.

[kenballus]

The bug

In f4fd674, a typo was made that causes tokens containing & to be incorrectly rejected. This causes, for example, requests with methods containing & to be rejected.

The current definition of _istoken looks like this:

def _istoken(b: bytes) -> bool:
    """
    Is the string a token per RFC 9110 section 5.6.2?
    """
    for c in b:
        if c not in (
            b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"  # ALPHA
            b"0123456789"  # DIGIT
            b"!#$%^'*+-.^_`|~"
        ):
            return False
    return b != b""

See how ^ is listed twice? The first one of those was probably intended to be a &. This would give the same order of characters listed in the tchar ABNF rule from the RFC.