diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go
index 9feca90e9..75df313f6 100644
--- a/mediaapi/routing/download.go
+++ b/mediaapi/routing/download.go
@@ -43,7 +43,7 @@ import (
 const mediaIDCharacters = "A-Za-z0-9_=-"
 
 // Note: unfortunately regex.MustCompile() cannot be assigned to a const
-var mediaIDRegex = regexp.MustCompile("[" + mediaIDCharacters + "]+")
+var mediaIDRegex = regexp.MustCompile("^[" + mediaIDCharacters + "]+$")
 
 // downloadRequest metadata included in or derivable from a download or thumbnail request
 // https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid
diff --git a/sytest-whitelist b/sytest-whitelist
index 6dbc7ab2b..035b9b36e 100644
--- a/sytest-whitelist
+++ b/sytest-whitelist
@@ -272,3 +272,10 @@ Inbound federation of state_ids requires event_id as a mandatory paramater
 Federation rejects inbound events where the prev_events cannot be found
 Outbound federation requests missing prev_events and then asks for /state_ids and resolves the state
 Alternative server names do not cause a routing loop
+Events whose auth_events are in the wrong room do not mess up the room state
+Inbound federation can return events
+Inbound federation can return missing events for world_readable visibility
+Inbound federation can return missing events for invite visibility
+Inbound federation can get public room list
+An event which redacts itself should be ignored
+A pair of events which redact each other should be ignored